Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsWednesday 10th January 2018
(6 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Lord Clement-Jones (LD)
My Lords, I thank the Minister. We on these Benches had considerable activity from the academic community, security researchers and so on. I am delighted that the Minister has reflected those concerns with the new amendments.
Lord Stevenson of Balmacara (Lab)
My Lords, I echo the noble Lord’s words. We also welcome these amendments. As has been said, this issue was raised by the academic community, whose primary concern was that the way the Bill had originally been phrased would make important security research illegal and weaken data protection for everyone by that process. It would also mean that good and valid research going on in our high-quality institutions might be at risk.
I do not in any sense want to question the amendments’ approach, but I have been in further correspondence with academics who have asked us to make a few points. I am looking for a sense that the issues raised are being dealt with. Either a letter or a confirmation that these will be picked up later in the process of the Bill is all that is necessary.
First, it is fairly common-sense to say that companies probably would not be very happy if a researcher picks up that they are not doing what they say on the tin—in other words, if their claim that their data has been anonymised turns out not to be the case. Therefore, proposed new subsection (2)(b) may well be used against researchers to threaten or shut down their work. The wording refers to “distress” that might be caused, but,
“without intending to cause, or threaten to cause, damage or distress to a person”,
seems a particularly weak formulation. If it is only a question of distress, I could be distressed by something quite different from what might distress the noble Lord, who may be more robust about such matters. I think that is a point to take away.
Secondly, we still do not have, despite the way the Minister introduced the amendment, definitions in the Bill that will work in law. “Re-identification”, which is used in the description and is part of the argument around it, is still not defined. Therefore, in proposed new Clause 161A(3), as mentioned by the noble Lord who introduced the amendment, the person who,
“notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification”,
has to do this,
“without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.
That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.
We are trying to make it safe for researchers and data scientists to report improperly de-identified data, but in the present arrangements the responsibility for doing all this lies with the researcher. We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied Clause 162(2)(a) and (b) and Clause 162(3)(a), (b) and (c), which is a fairly high burden. All in all, we just wonder whether how this has been framed does the trick satisfactorily. I would be grateful for further correspondence with the Minister on this point.
Finally, there is nothing in this amendment about industry. It may not be necessary but it raises a question that has been picked up by a couple of people who have corresponded with us. The burden, again, is on the researcher. Is there not also a need to try to inculcate a culture of transparency in the anonymisation processes which are being carried out in industry? In other words, if there is a duty on researchers to behave properly and do certain things at a certain time, should there not also be a parallel responsibility, for example, on companies to properly and transparently anonymise the data? If there is no duty for them to do it properly, what is in it for them? It may well be that that is just a natural aspect of the work they are doing, but maybe the Government should reflect on whether they are leaving this a little one-sided. I put that to the Minister and hope to get a response in due course.
Lord Ashton of Hyde
I thank the noble Lord, Lord Clement-Jones, for his support on this. I accept that there may be things to look at that the noble Lord, Lord Stevenson, has mentioned. It is better to consider those things properly rather than give an answer off the top of my head at the Dispatch Box. I certainly commit to taking those points back and having a look at them. It may be that, when we correspond, something can take place in another place. In the meantime, I beg to move.
Lord Clement-Jones
My Lords, as a result of the vagaries of grouping, redrafting and so on, I am in danger of being the tail that wags the dog on this group of amendments, especially as Amendment 175 deals with the processing of personal data to which the GDPR does not apply. Amendment 175A is a much broader amendment, dealing with the implementation of not only article 82 but other aspects that are extremely desirable.
I know that the Minister will be fairly brief in response, so I will not rehearse all the arguments we put forward in Committee. The noble Lord, Lord Stevenson, led on this group of amendments and put forward many of the arguments made by a great number of organisations, such as Which?, Age UK, Privacy International and the Open Rights Group, for this kind of group representation, along the lines of the super-complaints in the Consumer Rights Act, which are highly desirable. I recommend—which shortens the job I have of introducing this amendment—that the Minister reads the blog on the Privacy International site written by the chair emeritus of PI’s board of trustees, Anna Fielder. She puts the arguments extremely well and wrestles with some of the points that the Minister made in Committee, which is extremely useful. I am certainly not going to go through all that, let alone the polling data, which I think refutes quite a lot of what the Minister said. This is extremely desirable. I support very strongly what the noble Lord, Lord Stevenson, has tabled. It is quite comprehensive in many ways. I look forward to his introduction of his amendment.
Finally, a very important factor in all of this is the support of the Information Commissioner. She has come to the conclusion, as she wrote very convincingly in her second memorandum, that we need to have this kind of right of representation where consent has not necessarily been obtained. I think we should listen very carefully to what she has to say. I beg to move.
Lord Stevenson of Balmacara
My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.
That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.
I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.
In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.
To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.
Baroness Kidron (CB)
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.
“Framework for Data Processing by Government
(1) The Commissioner must prepare a document, called the Framework for Data Processing by Government, which contains guidance about the processing of personal data in connection with the exercise of functions of— (a) the Crown, a Minister of the Crown or a United Kingdom government department, and(b) a person with functions of a public nature who the Commissioner recommends is specified or described in regulations made by the Secretary of State.(2) The document may make provision relating to all of those functions or only to particular functions or persons.(3) The document may not make provision relating to, or to the functions of, a part of the Scottish Administration, the Welsh Government, a Northern Ireland Minister or a Northern Ireland department.(4) The Commissioner may from time to time prepare amendments of the document or a replacement document.(5) Before preparing a document or amendments under this section, the Commissioner must consult—(a) the Secretary of State, and(b) any other person the Commissioner considers it appropriate to consult.(6) Regulations under subsection (1)(b) are subject to the affirmative resolution procedure.(7) In this section, “Northern Ireland Minister” includes the First Minister and deputy First Minister in Northern Ireland.”
Lord Stevenson of Balmacara
My Lords, the Government introduced quite late in the proceedings in Committee a group of amendments that set up a parallel system under which data processing undertaken by government departments could be considered to be governed. Our Amendment 176 attempts to ask some questions, and in that sense it is a probing amendment. It probably does not work as it stands, on reflection, but it raises important points. Because the Government introduced the amendments so late in the day, I feel justified in asking for a response to some of our questions around them. The scrutiny that we could have given to the amendments did not take place, and I am grateful to the noble Lord, Lord Clement-Jones, for adding his name to the amendment and look forward to his comments later.
The main purpose of the amendment is to get on record from the Secretary of State a set of answers to questions. To be clear, we are talking about the framework for data processing by government to which the original amendments apply, and to which our amendment refers, covering all data held by any public body, including the NHS. It is both outside the ICO’s jurisdiction and under the direct control of Ministers. The courts are bound by the framework, as are tribunals, and a special case exists only for international law. I am not quite sure how that works, so maybe we can get some answers on that. There may well be updates, but if there are changes, they will be applied retrospectively. It is quite a significant package in terms of powers. I understand that there may be nothing wrong with that if everything else is working. In a sense, if one wants efficient government and effectiveness, one is asking for such things to be in place. I am not criticising that.
There are questions. First, on the name, why is it a framework and not a code of practice? Codes of practice are defined in the Bill and have considerable consequences as a result. There is a standard for developing them and a process under which they take place. There are regulatory arrangements and the involvement of Parliament, but that does not apply to the framework. In other words, the Government’s own data does not go through the processes that apply to other data.
Why do the Government’s proposals exempt public sector processing from normal data protection law? Surely if the concern is about making sure that a subject’s data is always looked after properly, and data controllers, whoever they are, are doing it in accordance with the procedures set out at length by the Bill, in the GDPR and in the derived legislation that will take place—if we leave—under Brexit, all we are getting is a way of keeping people out of any consideration regarding the data that is held by government. Citizens’ data should really belong to citizens and we should not have a situation where it is looked after by Ministers on behalf of Ministers and there is no external view.
One could make a strong case—I am not necessarily doing that, but others have—that the Secretary of State has the power to create their own framework for the data protection of their own data and their own department. They can ignore completely what the Information Commissioner may say about that framework—she has no locus in that. The framework can be brought to Parliament but it is a negative procedure, not an affirmative one, so it is very difficult to scrutinise. We can vote against it; we can certainly discuss it if we see it in time, but it will not be at the same level of scrutiny as perhaps applies to other matters. Barriers can be raised, and the ICO’s enforcement mechanisms can be fettered, extended or changed.
I am sure that the Minister will have good answers to that and I am in no sense trying to attack the basic principle. I just wonder whether there is not a case here for Caesar’s wife—excuse the old-fashioned language, but it is a quotation, not a reference. Caesar’s wife was always required to be above suspicion, above any other public person in Rome of the day. I say that with detailed knowledge having just been to the RSC’s performances of the Cicero plays, as I think I already mentioned. Sorry if I am boring people.
Nevertheless, it raises in one’s mind the issues of standards and propriety in public life in a forceful way. Blood was more common then than it might be today, but the issue is right. If you are in a public position and a public responsibility is placed on you, you must not only be above reproach, you must be seen to be above reproach. I am not sure that the government amendments satisfy that. I beg to move.
Viscount Hailsham (Con)
My Lords, I have only two brief observations to make, one supportive and one otherwise. My supportive observation is that I am very much in favour of the use of the affirmative resolution procedure for the approval of regulations, rather than the negative one. I add in parenthesis that I have always believed that we in Parliament should be able to amend under the affirmative resolution procedure. When we come to the European Bill, that will be particularly important, but that is for another day.
Where I disagree with the noble Lord is on his proposal that the commissioner should be responsible for preparing the document. That seems to me essentially a matter for the Secretary of State, because of the principle of ministerial responsibility. Ministers can be questioned and quizzed in a way which is utterly impossible for Parliament to do with the commissioner. There is also a small technical point. If a Minister has to come to Parliament—for example, under an affirmative resolution procedure—to argue in favour of regulations which he or she has not made, but which have, rather, been made by the commissioner, that could be at least a trifle embarrassing.
Earl Attlee (Con)
To regain some favour with my noble friend the Minister, may I just say a little word about affirmative orders? It is tempting to say that we should have affirmative procedure but, at the end of the day, we will have at some point to debate those affirmative orders, and they keep mounting up. In respect of negative instruments, there is a praying period and we can flag them up for debate and have them debated in the Chamber in exactly the same way as we can an affirmative order.
Lord Stevenson of Balmacara
But I think that the noble Earl would accept that the last time a negative instrument was prayed against successfully was something like 1940—certainly a long time ago—and it was about the use of petroleum with open flames.
Lord Ashton of Hyde
Absolutely. The framework exists like other sectoral guidance that is produced, under the overarching guidance produced by the Information Commissioner. In a minute I will provide further reassurance on how the two interlink.
As I have already set out, the Government will consult the commissioner in preparing the framework. Importantly, she is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents.
Lord Stevenson of Balmacara
I know that we should not be intervening like this on Report, but the phrasing that the Minister just used is of interest—to the noble Lord, Lord Clement-Jones, as well, I think. What does “irrelevant” mean? Can the Minister unpick that a little? Either the Secretary of State has the power to do something, or not. If that power is conditional on the ICO having given broad agreement to it, under what conditions can the ICO intervene? Can it be because the commissioner regards it as irrelevant? What does that mean?
Lord Ashton of Hyde
I think it means that, if the Information Commissioner were considering the case of a data breach committed by the Government, she would normally take the framework into account, as she would take into account the guidance that other sectors produce. If, however, there were circumstances in which she did not consider that it was relevant for her investigation into whether the law had been broken, given that she is the enforcer of the law, she would be free to disregard it. The words “must take into account” mean that she is not bound by the provision but has to take it into account. She is, after all, the regulator who sits above all data processors.
I reiterate that the guidance will provide reassurance to data subjects about the approach the Government take to processing data and the procedures that they follow when doing so. It will help further strengthen the Government’s compliance with the principles of the GDPR.
Amendments 177 and 178, in the name of the noble Lord, Lord Clement-Jones, concern the process for making the guidance. The guidance may be revised if Parliament does not approve it or if it needs adjustment to be compatible with international obligations. It would be odd and irresponsible to abandon the problem these clauses are trying to resolve if Parliament does not approve the guidance. A revised version should be prepared. Similarly, data protection rules are often international in nature and indeed this Bill is based on three international instruments, so revising the guidance to maintain compatibility must be the sensible approach.
Amendments 179 and 180 seek to limit the effect of the guidance. Persons must have regard to the guidance but there may be good reasons why processing data in a particular set of circumstances can lawfully be conducted in a manner outside the guidance. As long as regard has been had to the guidance but good reasons for departing from it or for its non-applicability have been established, it is perfectly proper and within the norm of usual public law principles to do so. Clause 178 ensures that those principles are enforced.
In our view, the existence of a framework in no way impinges upon the commissioner’s independence. Clause 178(5) simply requires the commissioner to take a provision in the Government’s framework into account if it appears to her to be relevant to the matter in hand. For example, if the commissioner were to investigate a data breach by a government department, she may consider it relevant to consider whether or not that department had applied the principles set out in the framework. It is standard practice for the Information Commissioner to take into account relevant sectoral guidance when examining issues related to the processing of personal data by a particular sector. Clause 178(5) simply reflects that practice. Furthermore, nothing in Clause 178(5) constrains the Information Commissioner in any way. She is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents, as I said.
Government Amendments 184A and 184B are technical amendments and are similarly designed to assist with the Government’s compliance with the GDPR. Most bodies falling within the Bill’s definition of government departments are Crown bodies. Such bodies cannot contract with each other as the Crown cannot contract with itself. This constitutional quirk means that the usual GDPR requirement that controllers and processors must have a contractual relationship is impossible to satisfy where one department is processing on behalf of another. These amendments resolve this situation by allowing departments to enter into a memorandum of understanding between each other instead and remain GDPR-compliant.
On the basis of my comments, I hope that the noble Lord will feel able to withdraw his amendment and support the government amendments in this group.
Lord Stevenson of Balmacara
I thank the Minister very much indeed for his very full response. I will read it carefully in Hansard but at this stage, although it is a rather complicated issue, I understand where he is coming from and I think we can probably let it rest at this point. If there is anything else, I will write to him rather than prolong the discussion today.
I opined that negative resolutions were rarely voted down and cited 1940 as the last occasion that that happened, but I was wrong. Some 40 years ago on 24 October 1979, the Paraffin (Maximum Retail Prices) (Revocation) Order 1979 was defeated late at night during what appears to have been rather unsavoury activity by members of the Labour Party who hid in cupboards and things and then jumped out. Mr Hamish Gray, whom Members may recall, was unable to sustain the standing order and it had to be brought back later on—it was all very complicated and Hansard is wonderful about it. I beg leave to withdraw the amendment.
“Personal data ethics advisory board and ethics code of practice
(1) The Secretary of State must appoint an independent Personal Data Ethics Advisory Board (“the board”) as soon as reasonably practicable after the passing of this Act.(2) The board’s functions, in relation to the processing of personal data to which the GDPR and this Act applies, are—(a) to monitor further technical advances in the use and management of personal data and their implications for the rights of data subjects;(b) to protect the individual and collective rights and interests of data subjects in relation to their personal data;(c) to ensure that trade-offs between the rights of data subjects and the use and management of personal data are made transparently, inclusively, and with accountability;(d) to seek out good practices and learn from successes and failures in the use and management of personal data;(e) to enhance the skills of data subjects and controllers in the use and management of personal data.(3) The board must work with the Commissioner to prepare a data ethics code of practice for data controllers, which must—(a) include a duty of care on the data controller and the processor to the data subject;(b) provide best practice for data controllers and processors on measures which, in relation to the processing of personal data—(i) reduce vulnerabilities and inequalities;(ii) protect human rights;(iii) increase the security of personal data; and(iv) ensure that the access, use and sharing of personal data is transparent, and the purposes of personal data processing are communicated clearly and accessibly to data subjects.(4) The code must also include guidance in relation to the processing of personal data in the public interest and the substantial public interest.(5) Where a data controller or processor does not follow the code under this section, the data controller or processor is subject to a fine to be determined by the Commissioner.(6) The board must report annually to the Secretary of State.(7) The report in subsection (6) may contain recommendations to the Secretary of State and the Commissioner relating to how they can improve the processing of personal data and the protection of data subjects’ rights by improving methods of—(a) monitoring and evaluating the use and management of personal data;(b) sharing best practice and setting standards for data controllers; and(c) clarifying and enforcing data protection rules.(8) The Secretary of State must lay the report made under subsection (6) before both Houses of Parliament.”
Lord Stevenson of Balmacara
My Lords, we can be quite brief on this matter. It is an open secret that both the Government and Her Majesty’s loyal Opposition, joined by others who have signed Amendment 181, were keen to try to move ahead with the idea of setting up a data ethics board or panel and giving it powers and teeth, particularly in light of the recent Budget, in which it was clear that there was money available for it to be established and start spending. We felt that it would be nice to get that going. Unfortunately, the rules of the House are so tight that it has not been possible to find a form of words for the powers that would be used to set up this advisory board which would be sufficiently broad to give a proper basis for the ambitions that we all share for it. On the basis that I think the Government may have something to say about this, I will not extend the discussion on this, because there is so much common ground. I look forward to hearing from the Minister, but to get the debate going I beg to move.
Lord Clement-Jones
My Lords, we are at the last knockings on most of the Bill. It is rather ironic that one of the most important concepts that we need to establish is a new data ethics body—a new stewardship body—called for by the Government in their manifesto, by the Royal Society, by the British Academy and by many others. Many of those who gave evidence to our Select Committee want to see an overarching body of the kind that is set out, and with a code of ethics to go with it. We all heard what the Minister had to say last time; we hope that he can perhaps give us more of an update on the work being carried out in this area.
This should not be and I do not think it will be a matter of party contention; I think there will be a great deal of consensus on the need to have this kind of body, not just for the narrow field of data protection and the use of data but generally, for the wider application in the whole field, whether it is the internet of things or artificial intelligence, and so on. There is therefore a desire to see progress in fairly short order in this kind of area. One of the reasons for that is precisely because of the power of the tech majors. We want to see a much more muscular approach to the use of data by those tech majors. It is coming down the track in all sorts of different varieties. We have seen it in debates in this House; no doubt there will be a discussion tomorrow about social media platforms and their use of news and content and so on. This is therefore a live issue, and I very much hope that the Minister will be able to tell us that the new Secretary of State is dynamically taking this forward as one of the top items on his agenda.
Lord Ashton of Hyde
My Lords, I can certainly confirm that the new Secretary of State is dynamic. In this group we are in danger of violently agreeing with each other. There is a definite consensus on the need for this; whether there will be consensus on the results is another matter. I agree with the analysis given by the noble Lord, Lord Stevenson, that the trouble is that to get this into the Bill, we have to concentrate on data. As the noble Lord, Lord Clement-Jones, outlined, many other things need to be included in this grouping, not least artificial intelligence.
I will briefly outline what we would like to do. For the record, we understand that the use of data and the data-enabled technologies is transforming our society at unprecedented speed. We should expect artificial intelligence and machine learning to inform ever more aspects of our life in increasingly important ways. These new advances have the potential to deliver enormous benefits to society and the economy but, as we are made aware on a daily basis—like the noble Lord, Lord Clement-Jones, I am sure that this will be raised tomorrow in the debate that we are all looking forward to on social media—they are also raising a host of new and profoundly important challenges that we need to consider. One of those challenges, and the focus of this Bill, is protecting people’s personal data—ensuring that it is collected, retained and used appropriately. However, the other challenges and opportunities raised by these technologies go far beyond that, and there are many examples that I could give.
Therefore, in the Autumn Budget the Government announced their intention to create a centre for data ethics and innovation to maximise the benefits of AI and data technologies to society and the economy, and to help identify and address the ethical challenges that they pose. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and artificial intelligence are governed. It will also support the effective, innovative and ethical use of data and artificial intelligence so that we maximise the positive impact that these technologies can have on our economy and society.
We are in the process of working up the centre’s terms of reference in more detail and will consult on this soon. The issues it will consider are pressing, and we intend to set it up in an interim form as soon as possible, in parallel to this consultation. However, I fully share the noble Lord’s view that the centre, whatever its precise form, should be placed on a statutory footing, and I can commit that we will bring forward appropriate legislation to do so at the earliest opportunity. I accept the reasoning from the noble Lord, Lord Stevenson, on why this is not the appropriate place due to the limitations of this Bill, and I therefore hope that he will be able to withdraw his amendment.
Lord Stevenson of Balmacara
I am very grateful to the Minister for that response. That is probably the right way forward, and I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsWednesday 13th December 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Maxton (Lab)
My Lords, I shall not follow the noble Viscount, Lord Falkland, down the road of horseracing because I have a confession to make, which is that I have never been in a betting shop in my life as far as I know—unless I was taken in as a very young child. I have three points to make. The first is the question of what sport is, because it is vital to the amendment—which I will be supporting. Darts and snooker are considered sports. They are therefore covered by any legislation relating to sport. You have only to watch “Strictly Come Dancing”, however, to know that a lot more physical activity is involved in dancing than in either darts or snooker, yet dancing is not covered by this legislation because it is not considered a sport.
Secondly, there are differences in the drugs taken by snooker players, for instance. A snooker player would be banned if he took a beta blocker, because a beta blocker slows the heart down, slows the pulse down and slows everything down, but if any other athlete took it, it might be for medical purposes—although it would not be to his benefit or advantage to do so.
Thirdly, I gather that under this country’s present doping laws recreational drugs are banned by all sporting bodies and the UK sports drugs authority. In some countries, however, it is legal to take, for instance, cannabis—to be honest, I am one of those who think it should be legal in this country as well; it should be part and parcel of the legal system that we allow people to take cannabis. But it would be banned. If it is illegal—this question may be one for the noble Lord, Lord Moynihan, directly—and an athlete comes to this country to take part in an international event, be it football or whatever, from a country where it is legal to take cannabis, and if he has taken cannabis in the last 24 hours and it shows up in a drugs test, will he be banned from taking part in that event? Some countries allow it. Why are recreational drugs part of that authority anyway? It is a police matter in this country, not a matter for sporting bodies, therefore we ought to take recreational drugs out of the equation altogether.
Lord Stevenson of Balmacara (Lab)
My Lords, the Government must be quaking in their shoes whenever a Back-Bencher offers to come to their help. I looked across at the Dispatch Box when I heard the noble Lord, Lord Moynihan, make that offer and I saw a definite quiver come over the Minister’s face. Clearly, we are in for something rather interesting. We were entertained by the noble Viscount, Lord Falkland, with his worries about the BHA, but he said he thought that it is really quite simple at the end of the day—we need to keep the money out and sort out the betting influences that are affecting all our sports. He is absolutely right. The public have come to the end of their tether and it is time that we got this sorted: we have to keep sport clean and eliminate cheating. The data is key to this, as the noble Lord, Lord Moynihan, said.
We expect a great deal of our athletes in terms of their whereabouts and their strict liability, so we have to make sure that the systems under which they operate are fair, properly organised and regulated. In short, we have such high stakes in this that we have to be sure that we up our game—I am sorry about the puns. We should be clearer than we are at the moment about who has responsibility for what and how it is operated, and that is what this amendment is about. DCMS needs a stronger NDPB, in the form of UKAD or a successor body, and there needs to be an authority exercised with care and consideration as to how the rules will apply and to whom they apply. All these definitional points, all the concern about where it goes, are tied up in that set of constructs, which is what this amendment deals with. I think it is very powerful.
If noble Lords look back at the way in which a state was able to influence the way that the drug-testing system operated in the winter Olympic Games in Russia, they will understand how this thing has got to a new level of concern. We must have appropriate safeguards and ways of operating in place to insulate those who are trying to do the right thing from the charge that they are involved too closely. The public will stand for no less. I recommend this amendment very strongly and we will support it should it be necessary to take it to a vote. I hope that that will not be necessary, because as the noble Lord, Lord Moynihan, said, this is an area of such importance that the right thing to do would surely be for the Government to accept this amendment today and bring it back at Third Reading with a proper wording and proper consideration that will reassure any who still doubt it. In the interim, we will support it if necessary.
Lord Clement-Jones (LD)
My Lords, as ever the noble Lord, Lord Moynihan, made his case extremely well. We on these Benches share his objectives and, indeed, most of the objectives of the noble Lord, Lord Stevenson, around clean sport, particularly putting UKAD on a statutory footing and having a proper framework around the powers in the Bill.
I know that the noble Lord, Lord Moynihan, feels that these need a proper definition and control. However, despite the noble Lord’s best efforts this amendment is not the finished article. Sadly, there are still discussions taking place. Noble Lords have had a great deal of material from governing bodies, including the England and Wales Cricket Board, the Rugby Football Union, the British Horseracing Authority and the Sport and Recreation Alliance, which by itself represents some 320 organisations.
Further discussions need to take place so that we get to an agreed position. I feel very uncomfortable at this point. All those governing bodies may be speaking with different voices, as the noble Lord, Lord Moynihan, suggests, and he has entered discussion with them in good faith, but other voices have come to us saying that they are not yet able to accept what he has put forward. There is still work to be done. I very much hope that the Minister will take on board the fact that many of us around the House, particularly on these Benches, want those conversations to continue and an agreed amendment to be brought forth at Third Reading.
“Safeguarding of children and vulnerable adults
32A(1) This condition is met if the processing— (a) is necessary for the exercise of a safeguarding activity,(b) is carried out without the consent of the data subject so as not to prejudice the exercise of that activity, and(c) is carried out in compliance with any guidance issued under statute by a Minister of the Crown or a Scottish Minister or Welsh Minister as the case may be.(2) In this paragraph, “safeguarding activity” means an activity designed to—(a) protect children and vulnerable or protected adults from maltreatment,(b) prevent the impairment of children’s, or vulnerable or protected adults’, health or development,(c) ensure that children grow up in circumstances consistent with the provision of safe and effective care, or(d) enable children and vulnerable or protected adults to have the best outcomes. (3) This paragraph applies to a safeguarding activity carried out whether as part of a statutory function or otherwise by any holder of a public office, institution, authority, church or religious congregation, company, organisation, body, or association, whether or not having corporate status.(4) This paragraph does not apply to the activities of individuals acting in a private capacity.(5) In this paragraph—“child” means a person who has not attained the age of 18;“vulnerable adult” has the same meaning as in paragraph 7 of Schedule 4 to the Safeguarding Vulnerable Groups Act 2006;“protected adult” has the same meaning as in the Protection of Vulnerable Groups (Scotland) Act 2007.”
Lord Stevenson of Balmacara
My Lords, I intend to be brief, but not because this is a minor matter—quite the reverse. This is one of the biggest concerns that we should have about how we engage through the public view on the issues that affect many of our citizens. I am talking particularly here about safeguarding, especially in relation to sport, although it also has wider concerns, wherever an adult has responsibility for a child.
The public concern has mostly focused on issues such as football and swimming in recent months and the last few years, but there are wider concerns that have been dealt with under various inquiries, and we await the results. The narrow issue relating to this Bill is that those individuals or bodies that have a protective function of safeguarding children or, indeed, vulnerable adults, and need to process sensitive data, even though they have no legal obligation to do it and have no statutory function may be an issue that the Government wish to return to. There is no doubt that UK Anti-Doping has the powers that are necessary in sports. But when members of the public and their children are not being sufficiently looked after, extra vigilance must be taken, and we must ensure that the Bill in no way affects that.
I have tabled this amendment, sent to us by a number of bodies involved in sport, but there are other groups outside the sporting area with interests here. The Government are currently discussing these issues and hoping to come to a conclusion shortly. On that basis, I hope that the Minister can give us some indication of the progress that has been made here and, if he can, some sense of the timescale in which the Government will act. I beg to move.
Lord Ashton of Hyde
My Lords, I will be brief. Amendment 33 seeks to introduce a condition permitting the processing of special categories of personal data where it is necessary for the purposes of safeguarding children or vulnerable adults. The Government take the issue of safeguarding extremely seriously and recognise the need for the Bill to provide certainty to organisations with safeguarding responsibilities, so I thank the noble Lord, Lord Stevenson, for raising this issue.
Organisations in all sectors wish to ensure that they have a lawful basis when they process special categories of data for safeguarding purposes. In many—maybe even all—circumstances, organisations will be able to rely on existing conditions under the Bill: for example, where processing is necessary for the purposes of preventing or detecting unlawful acts or where the processing is necessary for the exercise of functions under legislation or under a rule of law. However, I recognise that there is an argument for having a specific safeguarding condition to put the issue beyond doubt.
This is an issue which requires careful consideration and noble Lords may be assured that my department is actively working across government and with stakeholders in the voluntary and private sectors to consider the issue. We must be mindful, for example, of the broader implications of defining safeguarding and vulnerability within data protection law. Inclusion of such definitions within the Bill could have unforeseen consequences for other legislation which uses the same, or similar, terminology. As such, I can assure noble Lords that the Government are sympathetic to the objective of this amendment. However, given the importance of this issue and the potential impacts both within and beyond data protection law, we are sure that further consideration is required before any amendment can be brought forward. I can assure noble Lords that we will continue to examine this issue urgently. While it will not be possible to conclude our consideration in time for Third Reading, I am confident of doing so in time for Committee stage in the Commons. On the understanding that we will return to the issue of safeguarding in the Commons, I hope that the noble Lord feels able to withdraw his amendment this evening.
Lord Stevenson of Balmacara
I am grateful to the Minister for giving such a precise response to this, not only on the substance, recognising the issue and confirming that it needs to be put beyond doubt that the powers will exist, but giving us the assurance that this matter will be brought back in the Commons, which is wonderful. I beg leave to withdraw the amendment.
Baroness Hamwee (LD)
My Lords, I support my noble friend’s amendments. The points that he made apply almost entirely to Amendments 91, 92 and 94, which relate to later parts of the Bill, including particularly the phraseology “solely” and in Amendment 94 “solely” or “partially”.
I am pleased that the noble Baroness, Lady Jones, decided to retable her amendments. What she said can be summed up as, “Human rights, so human decision”. Human beings will ensure transparency and accountability in a way that machines simply do not. The Minister smiled when the noble Baroness said that she was not sure whether she was clear on the last occasion. I rather wish that I could ask her to give us the reassurances and concessions that that smile might have indicated, but I do not know.
These issues are extremely important. I was thinking about them over the weekend and, although it sounds patronising, the Government are entirely correct to ensure that human rights are engaged in these subjects. Given how central human rights are, they cannot be thought of as an occasional peripheral, particularly not as regards law enforcement and security issues. I have come full circle to thinking that the protection of human rights should be spelled out at the start of the Bill, which would take us back to our debate on Monday about an introductory clause covering the protection of a subject where the right is not absolute because of the criteria of necessity and proportionality. I think that that should be made clear in the Bill and it would put what the noble Baroness is seeking to achieve in her amendments in the right context. I support her in this.
Lord Stevenson of Balmacara
My Lords, we have Amendment 37 tabled in my name and that of my noble friend Lord Kennedy in this group. The focus of our amendment is to tease out from the Dispatch Box a sense of what is meant by “meaningful” in the context of the discussions we have already had about how organisations might disclose details of algorithms used in profiling and data-driven decision systems, to meet the obligation in the GDPR to provide meaningful information about what has been going on in that space. It will be difficult to do this because “meaningful” can involve many words and obligations and is, I think, a slightly slippery concept. It will probably exercise the noble and learned Lord, Lord Mackay of Clashfern, in its imprecision—but do not blame us, mate; it is the GDPR, which we are not allowed to discuss. However, I think that the Minister can help us here by providing a bit more information.
We have suggested that a way of dealing with this would be to look at how the information is used and make it a requirement that it should,
“be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests”.
That may not be sufficiently strict legal language but, if it is an important distinction, it would help to get us to the point at which the Minister might say that she will bring back improved wording in an amendment at Third Reading.
The real issue which is not discussed here is the question of whether we can access the algorithms themselves. The problem, and the reason for the solution to that problem lying in terms of the test of how it works in practice, is that it is not sufficient just to have simple information about the actual mathematics of the algorithm because that in itself would not give us enough information. What we need, for those in a particular part of the population cohort, is knowledge of the consequences of being in one category or another and how that is weighed up by those carrying out the processing. This covers all the ways in which decisions are made on credit, on our purchases and how we are advertised to. It is happening now, so the sooner we can get the information, the better. I look forward to hearing the Minister’s comments when she comes to respond.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, I start by thanking noble Lords for their amendments, which bring us back to the important issues around the use of automated processing in what is an increasingly digital world. I apologise if my smile was misleading, I was just very pleased to see the noble Baroness in her place; it did not indicate anything other than that.
The range in which automated processing is applied includes everything from suggested views on YouTube to quotes for home insurance and beyond. In considering these amendments it is important to bear in mind that automated decision-making can bring benefits to data subjects, so we should not view these provisions simply through the prism of threats to data subjects’ rights. The Government are conscious of the need to ensure that stringent provisions are in place to regulate appropriately decisions based solely on automated processing. We have included in the Bill the necessary safeguards such as the right to be informed of automated processing as soon as possible, along with the right to challenge an automated decision made by a data controller or processor. We have considered the amendments proposed by noble Lords and believe that Clauses 13, 43, 48, 94, 95, 111 and 189 provide sufficient safeguards to protect data subjects of all ages—adults as well as children.
“Use of private personal data accounts
(1) Within the period of 12 months beginning with the day on which this Act is passed, the Commissioner must carry out a public consultation on the use of private personal data accounts by data subjects.(2) The consultation must include, but is not limited to—(a) how the rights accorded to data subjects under the GDPR and this Act, including the rights to rectification and to be forgotten, may be affected by having a private personal data account;(b) the conditions under which a data subject may make their personal data available to data controllers via a private personal data account; and(c) the remuneration arrangements which may arise between a data subject and a data controller through the use of a private personal data account.(3) In this section, “private personal data account” means a single account through which a data subject can store and share their personal data with data controllers.”
Lord Stevenson of Balmacara
My Lords, I can be brief, I hope. Amendment 41A builds on a discussion held in Committee. We were trying to articulate, perhaps not very successfully but with some justification, the nature of the relationship between data subjects and data controllers when data is passed across for processing and use by that data controller. At that time my thinking was stimulated by work that we had read and heard about in relation to the idea that a person’s data could be given a personal copyright. That would open up to data subjects who are giving data to data controllers the rights that come with copyright ordinarily, such as a limited time—quite a long time, though—in which they have ownership and therefore are licensing their data for use. That could be subject to remuneration, as is very often the case in the creative industries where copyrights are used; they are used on a licensed basis for which remuneration is returned. If that were the case, one might also question whether copyright should be time-limited. That would put an end to the question of whether data subjects could withhold or retract their information in some sense, or rectify it so that it would not, therefore, be archived or go forward into other activities.
Since that time, a surprisingly large number of people have contacted me about this and offered advice and thoughts—not all of it helpful, I have to say. There seems to be a certain feeling that personal copyright is not the way to go forward on this, although I am still quite attracted to it. However, in that process I got a very interesting set of communications around the idea of data subjects becoming controllers of their own data; in other words, personal data controllers. This is a difficult concept. It seems to suggest that two characteristics are existing in the same time and space. Of course, the force will be with us when we get to this, but I am not sure I quite understand how it would happen. I think the problem has come because of the timeframe in which the GDPR was created. Preliminary debates took place in 2012 to 2014, and the GDPR dates from 2016 and will come in in 2018. We are talking about six to eight years since the original thinking, which is a very long time in cyberspace.
We have found that technology has moved ahead of us and the issue raised by this amendment, if I may be so bold as to suggest it, is that we will have to think quite hard about how individual data is used by data controllers, in the context not just of the Bill, but of the way in which the technology is moving. I fully expect the Minister to say that this is a blue-sky issue that needs to be picked up and looked at. Warm words will be offered and even a smile or two might glance its way across the Chamber to me and I will sit down in a miasma of happiness as a result, but the truth is that we need expertise and advice—this is not an easy concept, even if the force is with us. We will need to think harder about all these issues, including the points we have been talking about in terms of algorithms and automated use, in the context of people’s advancing rights and use of their data. It calls for a data ethics commission. The subject will come up again and I am sure that we will return to it on day three of Report, but in the interim I beg to move.
The Earl of Erroll (CB)
My Lords, this amendment has a lot of merit. For some time I have been discussing with certain people who know an awful lot about this, as has the noble Lord, the concept of agency: having control over your own information. It is a very important concept because the GDPR and the Bill are all about data processors looking after your stuff for you, but the real issue is having control over things that affect you. Why, if people are using it to make money out of you or on your behalf, should you not sell them that control in return for better access?
There are many issues around this that might suit a modern world in which your data can be useful, but to you, so that data processors do not just mine it and use it for their own purposes—you have control over it. This amendment has a lot of merit because it gives a foundation for us to start researching this. There is no compulsion here, but it could move us down a line whereby the data subject—the person in the street— suddenly gets some control over what happens when people research things for their own good. We are going to have to give away our location and other things to use most of these apps, so why can we not also control that and decide how to sell it to other people and benefit from it ourselves?
Baroness Chisholm of Owlpen (Con)
My Lords, I thank the noble Lord, Lord Stevenson, for explaining the amendment, and the noble Earl, Lord Erroll, the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for their words. The amendment is fascinating. When I talked to the noble Lord, Lord Stevenson, about it earlier today, I thought that it just shows how interesting it is, how fast everything is moving in this world and how difficult it will be for us to keep up. I feel rather relieved that I may not be around to have to grapple with it myself and that there will be younger people better at dealing with it than I am.
The amendment would require the Information Commissioner to consult on the use of private personal data accounts, which provide for people to retain greater ownership of their data. While I recognise the intention behind this amendment—to stimulate debate and a shift in public attitudes towards personal data and its value—this is not the appropriate means through which to pursue these aims.
By way of explanation, I have three quick points to make. First, I question the value of the Information Commissioner consulting on the use of private data accounts, which are already available to those members of the public who wish to use them. Importantly, the priority for the commissioner at the moment and for the foreseeable future is helping companies and organisations of all sizes to implement the new law to ensure that the UK has the comprehensive data protection regime we need in place, and to help prepare the UK for our exit from the EU. I hardly need to point out that these are massive tasks, and we must not divert the commissioner’s resources from them at this point.
Secondly, it is a question not only of resource, but of remit. It is right that the commissioner monitors and advises on developments in the use and storage of personal data, but it is not her role to advise on broader issues in society. The question of whether individuals should have ownership of their personal data and be remunerated by companies for its use falls squarely into that category. The commissioner is first and foremost a regulatory body.
Thirdly, I take this opportunity to highlight that there are already mechanisms in the new regime which will support individuals to have more control over their data and place additional requirements on data subjects. For example, data controllers will be required, when obtaining personal data from an individual, to inform that person of: the purposes for which their personal data are being processed; the period for which their data will be stored, to the extent that this possible; their right, where applicable, to withdraw consent for their data to be used; and their right to lodge a complaint with the supervisory authority. Obviously, that is not an exhaustive list but it is illustrative of the protections that will be put in place. Such information must also be updated if the controller intends to process the personal data for any new purpose.
I fully agree with the noble Lord that the questions of an individual’s control over their data and the value of that data are worthy of debate and, as I said earlier, we will have to wrestle with them for years to come as the digital economy evolves. However, the Government’s view is that the Bill strikes the right balance between protecting the rights of data subjects and facilitating growth and innovation in the digital economy, and that placing an arbitrary requirement on the commissioner to consult would not be appropriate or the best use of her resources at this point. On that basis, I urge the noble Lord to withdraw his amendment.
Lord Stevenson of Balmacara
I thank all noble Lords who have spoken in this short debate, particularly the noble Earl, Lord Erroll, for the idea about agency, which is an important construct that we will need to keep an eye on. He is quite right about that. I thank the noble Baroness, Lady Kidron, for reminding me, correctly, that I had got a lot of information from the IEEE, whose work on this I have praised before. I reiterate that: it has done a great job in trying to think through some of the bigger issues involved in this area. I also take this opportunity to acknowledge the debt I owe an organisation called HATDeX, which has been working in this area and from which I got the original idea of a private personal data account.
I agree with the noble Lord, Lord Clement-Jones, that this is something that will come back to haunt us. Obviously, as long as the Minister is there with her beaming smile, we will be able to resist all blandishments to come at it, but I think it will come and bite us. It was not an arbitrary thought of mine that it might be something that the ICO would want to look at it. I know from talking to the ICO that it is interested in this as well. I think the Minister is saying that the proposal, as it is, stands outside the Bill framework, but that is because the Bill focuses on a particular area, and perhaps that is a pity. But if it is not the ICO, who is it? I hope it will be the data ethics commissioner that we hope to establish in the future. I beg leave to withdraw the amendment.
Lord Finkelstein
I hope the noble Lord, Lord McNally, will forgive me, but I feel his comments require response. I recall at a university meeting when we had to discuss rules for debate, one student started a speech with, “I’m a liberal, but I’m against free speech”. I notice we have a very large turnout of both small “l” and big “L” liberals in the House, which usually suggests we are about to ban something. I am very sorry to be on the other side from the noble Lord, Lord McNally, who has been my inspiration and mentor for many years, but I have to disagree with him on this.
First, the proponents of these various amendments argue that these changes are not an attack on free speech but, in practice, they are. They tilt the balance against investigative journalism, scrutiny of the powerful and legitimate inquiry. The high bar introduced of necessity would have a chilling effect for anyone who has worked on practical investigations. What will happen is not so much that the law will be used, but that it will never be used because investigations will not take place.
Secondly, the proponents say that this is not about state regulation of the media, but it is. It will be done in two ways. The Information Commissioner will end up with so much power that he or she will become a press regulator whether or not he or she wishes to. That would be the impact of Amendment 55. At the same time, newspapers will be pulled against their will into Impress, which has been the burden of several remarks in this debate. That is also an aim of Amendment 55. It is simply nonsense to say that all that is being sought is voluntary self-regulation when the failure to volunteer or regulate in a state-approved way and be licensed by a state body is backed up by repeated attempts to penalise and punish, as these amendments would do.
Thirdly, the proponents say that all we will be doing is controlling behaviour, not content. I am afraid that this is wilfully naive. Impress has been named as a regulator. That choice by the panel is instructive. The behaviour of the staff and board of Impress, the body the panel has approved, shows quite clearly the agenda being followed. Its chief executive has been sharing views such as:
“John Lewis is bringing its name into disrepute by advertising in a Neo-Fascist rag”,
and:
“I do like @StopFundingHate’s campaign to defund racist media”.
This means it cannot claim to be the independent regulator the noble Lord, Lord Low, talked about. This is apparently acceptable as charter-approved behaviour, yet some noble Lords are critical that national newspapers are suspicious of the charter and fear Impress.
My fourth point is very important because the noble Lord, Lord McNally, said this in Committee. I respected it and listened to it. He said that newspapers have “got away with it”. This is not the case. People went to jail, newspapers closed and the regulatory system changed utterly. Those of us working in the industry all know and agree that there has to be change. Anyone who thinks that there has not been has not read a newspaper or been in a newspaper office since the scandal broke. I respect and understand the pressure for change, but you have to take “yes” for an answer.
Finally, there is a suggestion that the public are crying out for further regulation and more inquiries. People who advance this argument must have been in different constituencies from me. The attempt to hijack Bills to bully the press into compliance is a diversion from the public interest and there is no public pressure for it. Of course, it is right to insist on high standards of behaviour, but to introduce amendments designed to help powerful people keep secrets and to make free publication harder is an odd position for liberals. All I ask is that we do not remove protections in Britain enjoyed by Europeans. Normally, this rallying cry is very effective in this House. Let us hope that it is today.
Lord Stevenson of Balmacara
My Lords, I had better deal with Amendment 55, which is in my name and that of my noble friend Lord Kennedy. I am loath to do so at any length, so I simply say that it will be answered by the Minister when he responds. He has partially given me the answer and it would be wrong for me to anticipate the rest of it. I reassure him that I do not intend to press that amendment.
This debate is not about free speech; it is the latest exchange in a long-running debate on how in a democratic society we enshrine the press’s freedom to publish as it sees fit, root out the culture of abuse, illegality and criminality which has for too long involved all the newspapers at some point or other, and make sure that victims can get effective redress when such abuse happens. We should not lose sight of those cardinal aims.
If the House believes that everything in the garden is rosy, as the previous speaker tried to persuade us, we can of course do nothing and simply allow the Data Protection Bill to go forward as amended. I agree that the Minister has moved a long way and agree with the noble Lord, Lord Black, that we could now rely on the processes and procedures that have worked so well since 1998—for nearly 20 years. They could be allowed to continue, because they are tried and trusted and seem to do most of what we require.
But it is not like that. One could not listen to my noble friend Lord Prescott and the noble Lord, Lord McNally, for any length of time without feeling that there is still a canker. Something needs to be cut out of what we currently do and we are failing as a House if we do not do what we must to get this right. We have a lot of problems. We had a cross-party agreement; that has gone. We have let down the victims grievously time and again. We are unable to discuss this without accusations of a ridiculous nature being thrown at us about our intentions and processes. We need to do this properly; we need to do it coolly and with some consideration. We need evidence of the changes that are affecting the press. Is it true that the traditional press as we know it is going down the tube? Is it true that fake news, other news sources and the other things that our children are reading and reporting to us will destroy our understanding in a democratic society of what it is to be informed about the way things are done? Will we lose the extremely good points made by the noble Baroness, Lady Cavendish, who said that she was an investigative journalist and proud of her record, which is exemplary? We want that to continue, but we do not want people such as the noble Baroness, Lady Hollins, to suffer as a result of it. We have to be mature about this; we have to get it right.
I have an amendment, Amendment 165, to be taken on Wednesday 10 January—buy your tickets now—which will rehash a lot of our discussion today. It is focused on running a proper inquiry into what needs to happen now to deal maturely with the issues which the press does not wish to be regulated. It tries to find a way forward, to investigate the illegality of the past and learn lessons from it. Above all, it seeks to get a handle on this whole issue and come forward with a proper set of recommendations that we can implement. I hope that the House will look at that carefully when we come to it. In the interim, my advice to the noble Baroness, Lady Hollins, whom I admire for the fantastic work she is doing and I want to be with her on it, is to withdraw her amendment now and live to fight another day on 10 January.
Lord Keen of Elie
My Lords, the noble Baroness, Lady Hollins, has reminded us a number of times in this House of the need for suitable press regulation, and she has some interesting arguments. I am grateful for the time she took earlier this week to meet me and explain her perspective and concerns. However, the position remains that the Government cannot accept her Amendment 50A. The Government support objective, high-quality journalism and a free press. We are committed to ensuring there is a sustainable, effective business model for high-quality media. Of course, we also need a fair system and this Bill is designed to strike a fair balance between individual privacy rights and the right to freedom of expression. The noble Lords, Lord Lester and Lord Pannick, and the noble and learned Lord, Lord Brown of Eaton-under-Heywood, have just alluded to the requirement in law for us to maintain that balance. I do not seek to repeat that, but I gladly adopt the observations they made about the need for balance in the context of convention rights with regard to privacy and freedom of expression.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsWednesday 13th December 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Blencathra
Perhaps I may give the noble Lord some information which he may not have been aware of, as he may have left the Met by then. The reason that maybe up to 100 people were able to sue on the hacking was because their names appeared in the Mulcaire diaries, and the Met team kindly went and told every single person who had possibly been hacked, “They’re after you. You’re in Mulcaire’s diaries and you may care to contact some lawyers. Here are some lawyers who are doing a group action. If you join that, there is no great risk to yourself—you will be in there with a lot of others. The lawyers will be there on a no-win no-fee basis and you’re perfectly safe to do it”. That is why most of those people were able to go together in a joint action, but the thousands of individuals do not have a hope.
Lord Stevenson of Balmacara (Lab)
My Lords, I have been trying to search for words to explain what is going on at the moment. It seems to me that we are living in two parallel universes. My first thought was that we were back in World War I territory—the noble Lord, Lord Black, will get the reference—and that we were engaging in sniping over long pieces of dead ground over issues that nobody could understand, fought by people who did not want to be there and led by people even more stupid than that. But I have decided that this is the rerun of an acrimonious family dinner that we had before the break. We are now reflecting on that and trying to nerve ourselves up to talk again to each other and restore relationships, because relationships must go on.
Again, we have had these passionate stories, anecdotes and recollections of times when things have gone disastrously wrong. No amount of legal redress can undo that suffering. From others, we have heard a perfectly robust and understandable account of why things are perfectly all right at the moment and, given time, will be sorted out. I begin to think that Leveson, for all the great work he did and the excellence of his report—and the longevity of its recommendations—is a bit of a McGuffin here. This is about us and society; it is about Parliament. I tried to address some of that at the end of the last debate. We have to get serious about this and work out how to make progress. We have to restore the rightful balance between Parliament, which must be sovereign, and those who work within an environment in which Parliament seems at the moment to have been discounted.
If we do not get this sorted, we will continue to be like this for the rest of time. It is insufficient and ineffective. It will not be the way we want to live our lives and we will all be much the losers as a result. We must give credit to the noble Baroness, Lady Hollins, and her proposals. Yes, they come from Leveson—but underneath that there is the greater truth that things are not working as they could be. They should be working better.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, while we have already debated amendments that are challenging to a free press, I fear that this group of amendments would be potentially hostile to the concept of a free press. Where there are abuses the answer is to enforce the law, not to shut down the media. I adopt the observations of the noble Lord, Lord Pannick, and my noble friend Lady Wheatcroft in that regard.
Amendment 53 would remove the requirement to give special weighting to the public interest in freedom of expression and information. This is something that we consider an essential way of ensuring that information that is in the public interest is not buried due to the data protection regime that is put in place. In this context, giving special weight to the public interest in freedom of expression and information is an important way of ensuring that we provide constitutional protection of freedom of speech, as required pursuant to Article 10 of the European Convention and the Human Rights Act.
Amendments 54 and 56 relate to the codes of practice to guide journalists in conducting the essential public interest balancing test that has to be carried out. We have already debated this in the previous group, before the dinner break. Amendment 54 intends to take away the absolute requirement to have regard to the listed codes of practice when determining whether publication would pass the public interest test. This requirement is a way of strengthening the obligations on journalists. In line with the enhanced protection of the GDPR, we are making sure that those journalists who are covered by one of the listed codes must have regard to their relevant code.
In a related amendment, Amendment 56, the noble Baroness, Lady Hollins, has suggested that we alter the language of the condition on the special purposes exemption at paragraph 24 of Schedule 2 to the Bill by changing “relevant” to “appropriate”. This amendment makes it unclear which code should be consulted in a given case. We want to ensure that the code which pertains to a particular set of journalists is the code to which they have regard when carrying out the public interest test.
We are not being unreasonable in resisting Amendments 54 and 56. They may look innocuous, just slightly changing the language of the Bill, but if we are to be true to the GDPR, we must ensure that in our law we have resolved the article 85 requirement to set where the public interest lies in managing the balance between privacy and freedom of expression. If we make the use of these codes discretionary and their application vague, we will simply undermine that balance.
Finally, I turn to the amendments from the noble Baroness that aim to create a special group of exemptions only for those journalists who are members of an approved regulator. As drafted, the Bill is designed to protect journalists who should be able legitimately to rely on these exemptions when undertaking journalism in the public interest, regardless of which regulator they belong to or whether they belong to any at all. The reality of the press landscape today is that the vast majority of publishers are not members of an approved regulator. As such, limiting certain exemptions to only those who are members of an approved regulator would limit the ability of most journalists in this country to undertake investigative journalism in the public interest. Whatever the motive or the intention behind these amendments, they are, I am afraid, either wrecking amendments or amendments designed to force publishers to sign up to a regulator to which they object—and that is not acceptable.
Section 40 of the Crime and Courts Act 2013 was mentioned. As we have previously discussed, the Government are currently considering Section 40 with regard to part 2 of the Leveson inquiry. We do not believe that using data protection legislation is an appropriate means of trying to incentivise compliance with, for example, Section 40.
The noble Lord, Lord Stevenson, observed just three weeks ago, and earlier this evening, that this is not perhaps the place for this debate. He commented:
“I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson”.—[Official Report, 22/11/17; col. 195.]
I concur with that observation, which he just reinforced with his observations about the need for us perhaps to look more clearly at what the real issue is rather than being distracted by trying to act as tail-end Charlies to a particular piece of legislation on data protection.
There will be a response to the consultation on Section 40 and Leveson 2, but I shall make one comment with regard to the suggestion about delay in that consultation process. Noble Lords may recollect that the Secretary of State was the subject of a judicial review application which made it impossible for her to proceed with the consultation because the terms of the consultation were the subject of legal challenge. Thereafter, when the consultation proceeded, there were more than 174,000 responses. They had to be analysed and considered, but the fact that there was that number of responses perhaps gives weight to the observation of the noble Lord, Lord Stevenson, about there being an issue that needs to be addressed, and therefore we must look forward to the response to the consultation. I invite the noble Baroness to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, I am grateful to my noble friend Lord Kennedy for supporting me and to the noble Lord, Lord Clement-Jones, for adding his name to this amendment, which is one in search of an easy resolution—and I hope it can be done very quickly. The Minister and his colleagues have from time to time had to animadvert the recitals of the GDPR as evidence and support for claims that they make. I have no concerns with them doing that because I am quite happy with the recitals—I like them, understand them and think they are rather useful things to have around. What I do not understand is how that will happen when we go to the applied GDPR, when the only issue that will be able to be tested in court, as I understand it, is the GDPR itself. Therefore, I went to the Public Bill Office. Normally, its staff are difficult friends for an Opposition seeking to amend a Bill. They throw unforeseen, difficult and complicated legal issues in our way and make it very difficult for us to get to where we want. However, on this occasion, they said, “Leave it with us. We know exactly what you want. We will put an amendment together that will satisfy every concern you have”. It is there in front of us as Amendment 81, which I beg to move.
Lord Ashton of Hyde
Sorry, I should have said “ad infinitum”—that is perfectly correct.
The Government do not dispute that recitals form an important part of the GDPR. As I said, we have all referred to one recital or another many times. There is nothing embarrassing or awkward about that. It is a fact of EU law that courts often require assistance in properly interpreting the articles of a directly applicable regulation—and we, as parliamentarians, need to follow that logic, too.
I would remind noble Lords that the Government have been clear that the European Union (Withdrawal) Bill will be used to deliver two things which are very important in this context. First, under Clause 3 of the withdrawal Bill, recitals of directly applicable regulations will be transferred into UK law at the same time as the articles are transferred. There is no risk of them somehow being cast adrift. Where legislation is converted under this clause, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument, including its recitals.
Secondly, Clause 6 of the withdrawal Bill ensures that recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a substantive legal rule. Clause 20(5) of this Bill ensures that whatever is true for the interpretation of the GDPR proper is also true for the applied GDPR.
More than 10,000 regulations are currently in force in the European Union. Some are more important than others but, however you look at it, there must be more than 100,000 recitals across the piece. The European Union (Withdrawal) Bill provides a consistent solution for every single one of them. It seems odd that we would want to use this Bill to highlight the status of 0.1% of them. Nor, as I say, is there a need to: Clause 20 already ensures that the applied GDPR will be interpreted consistently with the GDPR, which means that it will be interpreted in accordance with the GDPR’s recitals wherever relevant, both before and after exit.
There is one further risk that I must draw to the House’s attention. Recitals are not the only interpretive aid available to the courts. Other sources, such as case law or definitions of terms in other EU legislation, may also be valid depending on the circumstances. Clause 20(5) as drafted provides for all interpretive aids to the GDPR to apply to the applied GDPR. By singling out recitals the amendment could uniquely elevate their status in the context of the applied GDPR above any other similar aids. This, in turn, may cause the GDPR and applied GDPR to diverge.
The drafting of the noble Lord’s amendment is also rather perplexing. It seeks to affect only the interpretation of the applied GDPR. The applied GDPR is an important part of the Bill but it is relatively narrow in its application. I am not sure it has the importance that the noble Lord’s amendment seeks to attach to it. It is, at most, a template for what will follow post exit.
I will not stand here and say that the noble Lord’s amendment would be the end of the world. That would be disingenuous. However, it is unnecessary, it risks unintended consequences and it does not achieve what the noble Lord is, I think, attempting. For those reasons, I am afraid I am unable to support his amendment this evening and I ask him to withdraw it.
Lord Stevenson of Balmacara
That is a very disappointing end to a rather splendid day. If you read Amendment 81 closely, it simply says “having regard to”, which is probably the weakest form of expression you can find in any legal circumstance. I am a bit surprised that the Minister could not come to a better conclusion than he did. In fact, we got a sort of Pepper v Hart-ish approach to it; we can rely on it but it is not as good as it would have been if we had agreed Amendment 81. I can say nothing more on this except that I am sure that we will return to this at some stage. I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 11th December 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Stevenson of Balmacara (Lab)
My Lords, I thank the Minister for moving his amendment and for his concluding remarks, which I will return to. I welcome this amendment, and the implication it carries that the Government have listened to the discussions we have had in the last few weeks and have moved from their initial position.
I will speak to Amendment 2, which I am delighted has also been signed by the noble Baroness, Lady Ludford. I am sure that your Lordships’ House will recognise that, in bringing forward a revised draft, we have reflected very deeply on the points made by noble and noble and learned Lords in the debate on the original amendment moved in Committee. In addition to noble Lords who spoke on that occasion, I thank the academic and practising lawyers—as well as many in industry—who have contributed to our emerging thinking on this topic. Before it was submitted to the gruelling process that happens to all amendments when they go to the Public Bill Office, I sent an earlier draft of this amendment to many Members of this House who spoke in that earlier debate. I am grateful for the comments I have received.
It is unusual to have two amendments bearing on very similar points. It is an advantage to be able to see the conflicting, and often overlapping, thinking that has gone into this. It is clear to all who have read both and thought about them that, while we are not yet in full agreement, we are very close. Indeed, I venture to suggest that there is more that unites us on this issue than divides us. What do we agree on? We both recognise that the key data protection rights currently enjoyed by citizens in the UK crucially underpin any assessment of adequacy that might need to be made by the EU post Brexit. They are crucial for the future of our successful data-handling industry. We both want the key data protection rights currently enjoyed by citizens in the UK to continue once the Bill becomes law, while the GDPR is in force, and then after Brexit—if that happens. We agree that the key question to be determined is not the exact wording of one or other but whether it is necessary for these key rights, currently enjoyed by UK citizens through Article 8 of the EU Charter of Fundamental Rights, to be expressed clearly for all to see on the face of the Bill, or whether their existence in various parts of the Bill—and in the GDPR and its recitals—is sufficient.
By putting down their own amendment on this issue, the Government seem to agree that explicit references in the Bill will be helpful, for the reasons given above. We now need to get together to find a form of words which will achieve this aim and which we can both support. I therefore agree with the noble Lord that the right thing to do is for both sides to withdraw their amendments on this issue today and for the Minister to confirm—as he has done—that the matter is of sufficient importance to be brought back for further consideration at Third Reading. If he will agree to that, I will not move my amendment when it is called.
Baroness Ludford (LD)
My Lords, I also welcome the fact that we are in touching distance of an agreement on this matter. I thank the Minister for bringing forward Amendment 1. However, there is a little way to go. Amendment 1 is declaratory of what is contained in the Bill, whereas Amendment 2 is rather stronger and clearer.
Embedding a general right to data protection inspired by the Charter of Fundamental Rights is not only important for UK citizens but, as we have agreed in many debates and exchanges in this House, it is crucial for unhindered data flows between the UK and the European Union if we Brexit. It is absolutely crucial for business and law enforcement to be able to exchange data and have access to EU databases, such as the Schengen Information System, Europol and so on. The Government’s review of the charter, which was also most welcome and was produced last week, says that,
“domestic courts will be required to interpret retained EU law consistently with the general principle reflected in Article 8, so far as it is possible to do so”.
Is the Minister able to elucidate what that caveat leaves out? What would not be possible?
In the Watson case, to which the Brexit Secretary was a party until he became the Brexit Secretary, the European Court of Justice found that the current UK data protection regime in relation to data retention and acquisition was incompatible with Article 8 of the charter. This demonstrated the deep importance that the European Union places on charter rights in the protection of privacy. The draft resolution that the European Parliament is due to debate and vote on this Wednesday, on the joint report on the phase 1 divorce agreement that was reached last Friday,
“underlines that it will accept a framework for the future EU-UK relationship as part of the Withdrawal Agreement only if it is in strict concordance with the following principles”,
including the,
“United Kingdom’s adherence to the standards provided by international obligations, including fundamental rights … data protection and privacy”.
So we can expect this to be a very important matter, on which there will be a spotlight in the consideration of an adequacy assessment by the European Commission, which I think we all agree it is essential to achieve.
As I said in Committee, the adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the United Kingdom. Of course, this will include the law and practice in terms of national security, which at the moment—rather ironically, or perversely—are excluded under the EU treaties. Once we are outside—if we are—there will be closer examination of how privacy fares in relation to the demands of national security than there is while we are in the EU. In that context, the national security issues in the Bill, which will be further debated as well, will perhaps take on a heightened importance.
On these Benches we believe that the rights under the charter in relation to data protection should be reflected in the Bill so as to have a general right to the protection of personal data in UK law. I very much agree with the course advocated by the noble Lord, Lord Stevenson, to reflect further and to accept the Government’s offer to come forward at Third Reading with something that we could all agree on.
Lord Ashton of Hyde
I thank the noble Lord. As I said in Committee, we too saw no need for this. The Government have moved because they are always listening and we hope that we can make this more acceptable. I will read what was said by the noble Lords, Lord Pannick and Lord McNally, and my noble friend Lord Faulks, but I would like to press my amendment so that we might have it as a basis for further discussion before Third Reading.
Lord Stevenson of Balmacara
My Lords, the Minister has received quite a lot of comment from around the Chamber on this and I made it clear in my opening remarks that I though the best solution was to have neither amendment. If we are to have a genuine discussion, it does not seem helpful to have in the Bill the wording which the Minister has alighted on at this stage in his conversion. It would be much better to start with a blank sheet and try to work to a common solution. I beg him to reconsider his view and withdraw his amendment; I will not press mine. We could then move to Third Reading with a clean slate.
Lord Ashton of Hyde
My Lords, I understand what the noble Lord is saying. This amendment has been around the houses in government; it has had many people from many departments looking at it from top to bottom. The feeling of the Government at the moment is that it is better to have something on paper as a basis for discussion. I would like to press my amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara Excerpts(6 years, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Stevenson of Balmacara (Lab)
My Lords, we have had a good discussion this evening about topics raised in Committee, where the strength of feeling and expertise displayed was highly instrumental in persuading Ministers to think again about the approach they were taking towards the regulatory process for children’s data being transferred into the internet. It shows that well-argued cases can get through even the most impervious armour put on by Ministers when they start battling on their Bills. I am delighted to see it.
The noble Lord, Lord Clement-Jones, commented on Amendment 117, tabled by the noble Earl, Lord Clancarty. I wondered why that amendment had been included in the group because it seemed to point in a different direction. It deals with data collected and used by the Government, having cleared what would presumably be the highest standards of propriety in relation to it. However, the story that emerged, endorsed by the noble Lord, Lord Clement-Jones, is shocking and I hope that the Minister will be able to help us chart a path through this issue. Several things seem to be going wrong. The issues were raised by my noble friend Lord Knight in Committee, but this amendment and the paperwork supplied with it give me a chill. The logic behind the amendment’s being in this group is that this is the end-product of the collection of children’s data—admittedly by others who are providing it for them in this case—and it shows the kinds of dangers that are about. I hope that point will be answered well by the Minister when he comes to respond.
I turn to the substantive amendment; it is an honour to have been invited to sign up to it. I have watched with admiration—as have many others—the skilful way in which the noble Baronesses, Lady Kidron and Lady Harding, and others have put together a case, then an argument and then evidence that has persuaded all of us that something can be done, should be done and now will be done to make sure that our children and grandchildren will have a safe environment in which they can explore and learn from the internet.
When historic moments such as this come along you do not often notice them. However, tonight we are laying down a complete change in the way in which individuals relate to the services that have now been provided on such a huge scale, as has been described. I welcome that—it is an important point—and we want to use it, savour it and build on it as we go forward.
I first sensed that we were on the right path here when I addressed an industry group of data-processing professionals recently. Although I wowed them with my knowledge of the automatic processing of data and biometric arguments—I even strayed into de-anonymisation, and got the word right as I spoke in my cups—they did not want anything to do with that: they only wanted to talk about what we were going to do to support the noble Baroness, Lady Kidron, and her amendments. When the operators in industry are picking up these debates and realising that this is something that they had always really wanted but did not know how to do—and now it is happening and they are supporting it all they can—we are in the right place.
The noble Baroness, Lady Harding, said something interesting about it being quite clear now that self-regulation does not work—she obviously has not read Adam Smith recently; I could have told her that she might have picked that up from earlier studies. She also said, to redeem herself, that good regulation has a chance to change behaviour and to inculcate a self-regulatory approach, where those who are regulated recognise the strength of the regulations coming forward and then use it to develop a proper approach to the issue and more. In that sense she is incredibly up to date. Your Lordships’ House discussed this only last week in a debate promoted by the noble Baroness, Lady Neville-Rolfe, on what good regulation meant and how it could be applied. We on these Benches are on all fours with her on this. It is exactly the way to go. Regulation for regulation’s sake does not work. Stripping away regulation because you think it is red tape does not work. Good regulation or even better regulation works, and that is where we want to go.
There are only three points I want to pick out of the contribution made by the noble Baroness, Lady Kidron, when she introduced the amendment. First, it is good that the problem we saw at the start of the process about how we were going to get this code applied to all children has been dealt with by the Government in taking on the amendment and bringing it back in a different way. As the noble Baroness admits, their knowledge and insight was instrumental in getting this in the Bill. I think that answers some of the questions that the noble Baroness, Lady Howe, was correctly asking. How do the recommendations and the derogation in the Bill reducing the age from 16 to 13 work in relation to the child? They do so because the amendment is framed in such a way that all children, however they access the internet, will be caught by it, and that is terrific.
The second point I want to make picks up on a concern also raised by the noble Baroness, Lady Harding. While we are probably not going to get a timescale today, the Bill sets a good end-stop for when the code is going to be implemented. However, one hopes that when the Minister comes to respond, he will be able to give us a little more hope than having to wait for 18 months. The amendment does say,
“as soon as reasonably practicable”,
but that is usually code for “not quite soon”. I hope that we will not have to wait too long for the code because it is really important. The noble Baroness, Lady Harding, pointed out that if the message goes out clearly and the descriptions of what we intend to do are right, the industry will want to move before then anyway.
Thirdly, I turn to the important question of how the code will be put into force in such a way that it makes sure that those who do not follow it will be at risk. Yes, there will be fines, and I hope that the Minister is able to confirm what the noble Baroness asked him when introducing her amendment. I would also like to pick up the point about the need to ensure that we encourage the Government to think again about the derogation of article 82. I notice in a document recently distributed by the Information Commissioner that she is concerned about this, particularly in relation to vulnerable people and children, who might not be expected to know whether and how they can exercise their rights under data protection law. It is clear that very young people will not be able to do that. If they cannot or do not understand the situation they are in, how is enforcement going to take place? Surely the right thing to do is to make sure that the bodies which have been working with the noble Baroness, Lady Kidron, which know and understand the issues at stake here, are able to raise what are known as super complaint-type procedures on behalf of the many children to whom damage might be being done but who do not have a way of exercising their rights.
If we can have a response to that when we come to it later in the Bill, and in the interim get answers to some of the questions I have set out, we will be at the historic moment of being able to bless on its way a fantastic approach to how those who are the most vulnerable but who often get so much out of the internet can be protected. I am delighted to be able to support the amendment.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, first, like other noble Lords, I pay tribute to the noble Baroness, Lady Kidron, for her months—indeed, years—of work to ensure that the rights and safety of children are protected online. I commend her efforts to ensure that the Bill properly secures those rights. She has convinced us that it is absolutely right that children deserve their own protections in the Bill. The Government agree that these amendments do just that for the processing of a child’s personal data.
Amendment 109 would require the Information Commissioner to produce a code of practice on age-appropriate design of online services. The code will carry the force of statutory guidance and set out the standards expected of data controllers to comply with the principles and obligations on data processors as set out by the GDPR and the Bill. I am happy to undertake that the Secretary of State will work in close consultation with the Information Commissioner and the noble Baroness, Lady Kidron, to ensure that this code is robust, practical and, most importantly, meets the development needs of children in relation to the gathering, sharing, storing and commoditising of their data. I have also taken on board the recommendations of the noble Lord, Lord Clement-Jones, on the internet safety strategy. We have work to do on that and I will take his views back to the department.
The Government will support the code by providing the Information Commissioner with a list of minimum standards to be taken into account when designing it. These are similar to the standards proposed by the noble Baroness in Committee. They include default privacy settings, data minimisation standards, the presentation and language of terms and conditions and privacy notices, uses of geolocation technology, automated and semi-automated profiling, transparency of paid-for activity such as product placement and marketing, the sharing and resale of data, the strategies used to encourage extended user engagement, user reporting and resolution processes and systems, the ability to understand and activate a child’s right to erasure, rectification and restriction, the ability to access advice from independent, specialist advocates on all data rights, and any other aspect of design that the commissioner considers relevant.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 11th December 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Stevenson of Balmacara (Lab)
Before the Minister sits down, I put it to her that, in the considerations that will take place between now and the return in January, one thing that changes between 1998 and today in terms of the Act is something we have not looked at specifically, although it comes up in the Bill. It is the need to ring-fence the Information Commissioner from any involvement with Parliament or the Government. She is answerable to Parliament, but she should not be in that sense exposed to considerations that might adversely affect her. I hope that might be taken into account as well.
Baroness Chisholm of Owlpen
I agree with the noble Lord, and we will take that into account.
Lord Patel (CB)
My Lords, I have already spoken on this at length and I do not intend to repeat myself, but I support the amendment from the noble Baroness, Lady Neville-Jones. This is a very important database. It is not just national but international, and it is difficult to collect. That is why I am glad that an accommodation has been made to support the amendment.
Lord Stevenson of Balmacara
My Lords, I add my voice in support of the noble Baroness’s amendment and wish it well. I suspect she has run into the logjam that constitutes the waiting list to see the Bill team and the Ministers, who have been worked so hard in the last few months. But I hope it will be possible, given that there is a bit of time now before Third Reading, for this matter to be resolved quickly and expeditiously before then.
Lord Ashton of Hyde
My noble friend Lady Neville-Jones explained in Committee that Unique plays a hugely important role in providing advice and support to sufferers of rare chromosomal disorders and their carers. Some of these charities have large databases dating back many years, so we understand their desire to maintain these when the GDPR comes into force without necessarily obtaining fresh consent to GDPR standards for each data subject included on the database. When families are providing support to their loved ones, some of whom may need round-the-clock care, filling in a new consent form may not be high on their agenda.
However, they may still value the support and services that patient support groups provide and would be concerned if they were removed from the charities’ databases. If charities such as Unique had to stop processing or delete records because consent could not be obtained, they worry that this would impede the work they do to put patients and their families in touch with others suffering from rare genetic conditions, help clinicians to deliver diagnoses and facilitate research projects. We recognise that this could be particularly damaging when there is barely any knowledge of the condition other than what they may hold on their database.
Let me be clear: if there is a grey area in the Bill that puts this work at risk, the Government are fully prepared to amend it. Legislating in this area is not straightforward and I am keen that the policy and legal teams in the department are able to continue with the constructive discussions they have been having with Unique and the UK Genetic Alliance to ensure that the legislation adequately covers the specific processing activities they are concerned about, while providing adequate safeguards for data subjects. I assure noble Lords that we will use our best endeavours to work on this legislative solution as quickly as possible. If it is not ready by Third Reading, and I am afraid I cannot promise it will be, the Government will endeavour to introduce any necessary provisions at the next possible amending stage of the Bill. I will of course ensure that my noble friend gets the credit she deserves for her persistent efforts on this subject when that time comes.
Government Amendments 72 to 77 are the products of detailed discussion with the noble Lord, Lord Patel, the noble Baroness, Lady Manningham-Buller, and representatives of the Wellcome Trust. I thank them very much for those constructive and helpful discussions. In Committee we discussed the operation of the safeguards in Clause 18 and the potentially damaging impact they would have on pioneering medical research. As I explained at the time, it was never the Government’s intention to undermine such important work, so it is with great pleasure that I table these amendments today.
Noble Lords will recall that the greatest concern stemmed from the safeguard in what is currently Clause 18(2)(a). That paragraph was designed to prevent researchers using personal data to make measures and decisions in respect of particular data subjects but, as the noble Lord explained, there are certain types of medical research where this is inevitable. In the context of a clinical trial, for example, a data subject might willingly agree to participate, but in the course of the trial researchers might need to make decisions about whether the treatment should continue or stop, with respect to some or all data subjects. Government Amendment 77 addresses this concern by making it clear that the safeguard is automatically met where processing is necessary for the purposes of approved medical research. Approved medical research is defined in the new clause and includes, for example, research approved by an ethics committee established by the Health Research Authority or relevant NHS body. Importantly, the new clause also contains an order-making power so that the definition of approved research can be kept up to date.
Baroness Hamwee
My Lords, I have put my name to this amendment. I stumbled on the omission of Members of this House during debate in Committee, when I asked what I thought was an innocent question. I was asked to appear on the BBC’s “Question Time” after the list of Peers of which I was one was announced but before I actually arrived here. It was a fairly difficult occasion, which I remembered when I was thinking about this issue at lunchtime today. When I referred, during the discussion, to Members of Parliament, Nicholas Ridley said, “You are a Member of Parliament”. We are all Members of Parliament. We happen to be Members of the House of Lords; those who are normally called MPs are Members of the House of Commons. I regard myself as being in a representative position, even though I am not elected.
I disagree with one comment of the noble and learned Lord, which was about the amount of casework that I do. I am so conscious of the problems of getting it wrong, particularly in the area of immigration, that I try not to do that work. However, it is notable how the number of requests to Peers to intervene in individual cases has grown over the last few years. I suppose that reflects the fact that MPs are taking on more and more of what a few years ago one might have called social work. There are not the same demarcation lines as perhaps there used to be.
The casework, among other things, informs our general response to policy issues and specific proposals put before us, so we cannot exclude ourselves from all this. Ten days or so ago, in response to a request to pursue a particular case, I made the point that the individual should approach her own MP. The answer came back, through an intermediary, “She’s an asylum seeker. She doesn’t have an MP. We’re looking for anyone who can help”.
In Committee, questions on this issue were asked round the House. I recall that the noble Lord, Lord Lucas, took up the point after I had asked a question. I am very grateful to the noble and learned Lord for pursuing this matter. I hope that the Minister will accept his suggestion that this should be considered further between now and Third Reading, and that it should be dealt with at this end. I hope that the Minister will this evening assure us that it will remain on the agenda and that we can return to it at the next stage of the Bill in this House.
Lord Stevenson of Balmacara
My Lords, we do not need to think very hard about this issue in terms of providing evidence that might be helpful to Ministers given that at Oral Questions today, at which I think the Minister and the noble Baroness were present, a case was raised by a Peer on our side of the House, in a Question to the DWP Minister, which verged on picking up a particular case. It was very useful in terms of making a broader political point. Are we saying that that will not be possible in future, as it raises significant questions? Secondly, as the noble Baroness, Lady Hamwee, said, irrespective of whether we have been an MP or a Member of the other House, we receive letters and emails almost daily offering individual data and information which, if we used it, would, I think, fall into the category mentioned by the noble and learned Lord.
At the weekend, I had the privilege of seeing the RSC perform the “Imperium” plays, adapted from the books of Robert Harris. These deal with a well-known orator, Cicero. Noble Lords will not be surprised to learn that he recommends to his clients—at one stage, he gives a tutorial to fellow citizens of Rome who intend to seek high office—that it is always helpful, and always catches the attention of an audience, if you give the specifics of an individual case and rise from that to the general. So if there is a possibility of placing a constraint on the ability of Members of this House to raise cases in an effort to improve the quality of life for citizens to whom we owe a duty of care and responsibility, that must be wrong. I hope that the Minister will take this away and work with the noble and learned Lord, Lord Brown, to bring something forward at Third Reading.
Baroness Chisholm of Owlpen
My Lords, Amendments 28 and 29 create a new processing condition for Members of this House. The Government’s view is that the provisions in paragraphs 19 and 21 of Schedule 1 are intended to reflect the unique and special nature of the relationship between an elected representative and their constituent.
Like the noble Baroness, Lady Hamwee, and the noble and learned Lord, Lord Brown, I am very aware of the important and valuable work that many noble Lords carry out on behalf of members of the public, advocating for their rights, taking up their cases with government departments and representing their interests in any number of scenarios. However, this relationship between a Peer and a member of the public is of a different nature and order from that conferred on an elected representative by their constituents. Elected representatives have particular rights and duties to act on behalf of the citizens they represent. The Government therefore consider it appropriate for them to be able to deal with urgent situations where they could not reasonably be expected to obtain consent; for example, in the case of an individual facing imminent deportation. There is no such need for Peers to be exempted from the provisions on consent. I stress again that nothing in the Bill or the GDPR prevents Peers undertaking casework if they first obtain the consent of the individual concerned.
I emphasise that these provisions are not new. The position under the 1998 Act is very similar and, in answer to the point made by the noble Lord, Lord Stevenson, it has not prevented Peers who are interested in undertaking casework doing so. Indeed, I have not found difficulty in this respect; I have just obtained consent first.
I hope I have reassured the noble and learned Lord that the Government understand the concerns raised, and that in this instance he will withdraw his amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsWednesday 22nd November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Stevenson of Balmacara (Lab)
My Lords, I apologise to the House because my voice is annoyingly masked. I urge noble Lords to put their hearing aids on because it might not last until I have said what I want to say.
Every now and then in this House, we have a debate of such importance and significance that the House behaves in a completely different manner from its normal routine. We have had that today. There is a sense of stillness, expectancy and interest that we do not always get, and it is important that we hold on to it because we are touching on some very important and deep issues. While we obviously need to deal with the narrow question of the amendments before us, I hope very much that the wider resonances of this debate might help unpick some of the difficulties that have been raised in our discussion and which are relevant in society today.
I am so taken by the debate we have had that I want first to mention to the House that our amendment in this group, which was laid as one of the first amendments, is an entirely “fake” amendment, if I may use that word. It is a probing amendment and does not mean anything. I can tell the House now that I will not be pressing it. I hope the Minister will do me the justice of not even bothering to respond to it because it has lost all relevance in the light of the issues that have been raised subsequently. My second point is a slightly cheeky one: since I am no longer involved with our amendment in this group and we do not have any names attached to any of the others, I will bring a completely new and independent view to the discussions. I hope that noble Lords will enjoy that.
I hope that the noble Lord, Lord Black, does not take this my final opening point the wrong way. I am not going to follow the line of the noble Lord, Lord McNally, and accuse him of crimes he is not going to commit, but this is so important that we need to come back to it in another place and at another time. I hope that he will understand that. I think that it probably needs a Bill of its own to get this right. We can discuss that later.
Okay. Trying to make sense of what we have in front of us—in this alphabet soup that we often have in complicated parts of Bills—I want to approach this in the following way. I said at Second Reading, and I repeated in the debate last week, that I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson. I do not think that anything said today should be withdrawn; it is really important stuff that needs to be resolved. But this is probably not the Bill to do that in and I will give some reasons for that.
The main worry that I have, and several noble Lords have mentioned this, is that we are talking about a package of measures that were the product of a particular time. For all the reasons that have been given, bits have succeeded and bits have not succeeded; bits have been implemented and bits have not been implemented, and I do not think that it is right for this Bill at this time to try to kick-start some of the bits that need to be looked at, particularly the amendments that relate to the Crime and Courts Act 2013. The speech of the noble Earl, Lord Attlee, was a very good introduction to those. He made a very good case for them. That case does need to be answered, but this is not the right place for that, so I do not support them.
I do not think that Amendment 179A works in the context that I am trying to sketch out. The case made by the noble Baroness, Lady Hollins, as always, was incredibly powerful and one’s heart reaches out to everything she says, which was also picked up by the noble Lord, Lord Low. We want to do something about this and we think that the way that the Government have treated Leveson 2 is a disgrace. It is a shameful way to behave, given the treatment of the victims. We must never forget that.
The third group of amendments here—the amendments of the noble Lord, Lord McNally—also makes very good sense. They are sensible amendments but, for the same reason, we should not continue with them today.
Lord McNally
The noble Lord is giving the Government a “get out of jail free” card, unless he has something else to say. There are areas in all these amendments that have massive implications for data and data protection. If they do not fit into the scope of a Data Protection Bill, where on earth will they fit?
Earl Attlee
My Lords, I would also like to have a little pop at the noble Lord. I understand his point that this is a Data Protection Bill and not something to amend the Crime and Courts Act. Of course, I experienced significant difficulties with the clerks trying to table an amendment to try to amend that Act. But if we had a suitable legislative opportunity—another criminal justice Bill—would the noble Lord’s party support an amendment to make Section 40 of the Crime and Courts Act commence forthwith?
Lord Stevenson of Balmacara
To answer that last point first, we have supported that in the past and on the right occasion we would probably support it again. But my point is not about the quality of the case made or the correctness of the approach. It is just not the right time to do that. The same answer applies to the noble Lord, Lord McNally. I did not say that we would not support him if he brought this back at Report. I am simply saying that, at this particular point, I want to use this debate to focus on something else and that is why I am trying to approach the issue in this way. I hope that noble Lords will bear with me before my voice gives up finally. I hope that I can allow that to ring out so that noble Lords can be inspired by it. That is a faint hope.
Underneath the debate that we have had today are some really important questions. I will pose them quickly in the hope that we will get a response from the Minister. It is really important that the noble and learned Lord uses this opportunity to set out very clearly what the Government’s position is on a number of these key points. Is the regime that currently applies to the press, as set out in the Data Protection Act 1998, still the case in the Bill? In other words, has the regime that has worked well since 1998 been changed in any way by its transposition into this Bill? If it has not, he has to be very clear that that is the case. The case that has been made suggests that, in the rewriting and repositioning of Clause 164, something has happened that has alerted everyone to the point, which was made very well by the noble Viscount, Lord Colville, and the noble Lord, Lord Black. I do not think that that was what we understand to be the case, and certainly I and my noble friend Lord Griffiths have asked for chapter and verse on this so that we can be sure that what we are seeing is exactly what the current law is. That is a straightforward question.
Secondly, we need to be persuaded, if we have not been already, that either the technology or the working practices in print journalism in particular, but also in relation to how print journalism is now often paired up with moving image technologies, has produced such a step-change in the way they operate that the additional defences proposed by the noble Lord, Lord Black, or the additional protections that might be needed by victims, which are so important and relevant, do not need to be brought into the Bill. The case has been made, the charge is there, and the Government must come back and tell us what arrangements have been made.
Thirdly, does the fact that many, but not all, direct investigations of a journalistic type are now done jointly with an audio-visual component, so that we have combinations between major newspapers and television broadcasters or even film, mean that we now have in perpetuity dual regulation, in which case the approach taken by Ofcom has to sit with the regulations under the Data Protection Act 1998 or the Data Protection Bill when it becomes law? If that is the case, we have a problem that needs to be confronted. We have one post hoc regulatory structure and one that is mainly post hoc but has an element, albeit restricted and on a narrow basis, in print journalism. If the way the world is moving suggests that everyone doing this work will have to be involved with two regulators, the Government’s Bill does not take that trick and we will need to come back to the point.
Fourthly, what is it about print journalism which is so different that it requires there to be a predetermination capacity for the ICO compared with the situation when the same work, and possibly the same output, is done under Ofcom? My noble friend Lord Puttnam and the noble Baroness, Lady Stowell, made the point that the difference is that the media in this country are very strongly regulated. There are codes, statutory frameworks and editors who are clearly responsible for them and work to them well. However, a different situation pertains here. That does not mean to say that it should be applied across all the outputs involving investigative journalism, but it must be said that if there was in existence a robust, independent and effective press complaints system which enjoyed the confidence of victims, perhaps we would make better progress on the particular issues which have been raised today. That is the point on which we must focus as regards where we might go with this. I hope that when the noble and learned Lord comes to respond, he can bring some light to this issue.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, I am obliged to all noble Lords for their contributions this afternoon. I would hope that recent debates, particularly in Committee on the Bill, have assured noble Lords that the Government are absolutely committed to preserving the freedom of the press and maintaining the necessary balance between privacy and freedom of expression in our existing law that has generally served us well over many years.
Perhaps I may take some of the amendments in turn. The first, Amendment 163A, was brought forward by my noble friend Lord Black. It asks that the Bill should require that greater consideration be given to the right to freedom of expression and information when the Information Commissioner is exercising her enforcement powers. Amendment 164A would require the commissioner to consider, for example, any other financial penalties imposed by another regulator as a result of failure—a point that was touched on tangentially by the noble Lord, Lord Stevenson, in his closing remarks.
I hope that my noble friend Lord Black agrees that it is important that any amendments in this space do not impact disproportionately on the commissioner’s resources and her ability to execute her regulatory functions in an effective manner. I will give further consideration as to whether these amendments meet that test. I will address my noble friend’s contribution on this point in Hansard and the Government will reflect upon it. I do not hesitate because I am making a concession; I am merely making an observation.
Lord Stevenson of Balmacara
My Lords, this is a relatively narrow point and affects only a very small part of the Bill, but is still quite important. The amendments in the group mainly cover the question of how the Bill can reach out to the question about anonymisation and how, or not, it plays against de-identification. There are two amendments and a clause stand part Motion which relate to other slightly different issues, which we will get to in turn.
Amendment 170CA would insert into the Bill the term “anonymisation”, as there is no definition of de-identification in the Bill. I will come back to explain what that means in practice. Amendment 170CB provides an important exemption for data scientists and information security specialists dealing with a particular area, because there is a fear that the introduction of criminal sanctions might mean that they would be caught when they are trying to consider the issue for scientific and other reasons. Amendment 170CC adds a definition of identified data—after all, if it is to be criminalised, there needs to be a definition. This definition will cover cases which involve names of individuals, but will also cover those where fingerprints, for instance, are used to identify people.
The clause creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller. Amendment 170F asks for guidance relating to this offence. It is at the request of the Royal Society, because it wants clarity on the legal basis for processing.
Amendment 170G concerns transparency. If we are going to go into this area, it is very important that we know more about what is happening. The amendment suggests that the Information Commissioner,
“must set standards by which a data controller is required to anonymise personal data”.
There may be lots of new technologies soon to be invented or already available, and it is important that the way in which this important work goes forward can be flexed as and when new technologies come forward. We think that the Information Commissioner is in the strongest position to do that.
The other set of amendments to which our names are attached, Amendments 170E and 170H, relate to particular problems that can arise in large databases within health. There is a worry that where re-identification occurs by accident or just through the process of using the data, an offence will be created. MedConfidential suggests that some form of academic peer reviewing might be useful in trying to assess whether this was a deliberate act or just an unfortunate consequence of the work being done by those looking at the dataset concerned. The further amendment, Amendment 170H, clarifies whether an offence actually occurs when the re-identification work applies to disseminated NHS data —which of course, by its very nature, is often rather scattered and difficult to bring together. There is a particular reason for that, which we could go into.
At the heart of what I just said is a worry that certain academics have communicated to us: that the Bill is attempting to address what is in fact a fundamental mathematical problem—that there is no real way of making re-identification illegal—with a legal solution, and that this approach will have limited impact on the main privacy risks for UK citizens. If you do not define de-identification, the problem is compounded. The reference I have already made suggests that there might be advantage to the Bill if it used the terms used in the GDPR, which are anonymisation and pseudonymisation.
The irony which underlies the passion with which we have received submissions on this is that the people likely to be most affected by this part of the Bill are UK information security researchers, one of our academic strengths. It seems ironic that we should be putting into the Bill a specific criminal penalty which would stop them doing their work. Their appeal to us, which I hope will not fall on stony ground, is that we should look at this again. This is not to say in any sense that it is not an important issue, given the subsequent pain and worry that happens when datasets certified as anonymised are suddenly revealed as capable of being cracked, so people can pick up not just details of information about dates of birth or addresses but much more important stuff to do with medical health. So it is very important—and others may want to speak to the risk that it poses also to children, in particular. I hope that that is something that we might pick up.
There needs to be a proper definition in the Bill, whatever else we do about it, and that would be right in a sense. But we would like transparency about what is happening in this area, so that there is more certainty than at present about what exactly is meant by anonymous data and whether it can be achieved. That could be solved if the Information Commissioner is given responsibility for doing it. I beg to move.
Lord Clement-Jones (LD)
We are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.
There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.
This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.
Lord Ashton of Hyde
In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.
Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.
Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.
It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.
I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.
Lord Stevenson of Balmacara
I thank the noble Baroness, Lady Neville-Rolfe, and welcome her to her first full session. I am glad that we have been able to reorganise our timings so that she has been able to attend and contribute—something that we have missed until now. I also thank the noble Lords, Lord Lucas and Lord Clement-Jones, for their comments and support for this series of amendments.
There is a whiff of Gilbert and Sullivan about this. We are talking about a technology that has not yet settled down, and about protections which I do not in any way say are wrong. The technology is still developing and still uncertain, and we are told by experts that what the Bill is trying to do cannot happen anyway. The amendments offer the Government the chance to think again about the need to find a progressive path. We set out on what is often a voluntary basis, under the Government’s approach, with a code that works. People are brought in and consulted, and eventually the crime to be committed is defined—until we have that, we really do not have anything—and we try to be respectful of the fact that people would move out of the sector if they felt that their work would be attacked because it was illegal.
I am grateful to the noble Lord for listening to the debates. I hope that we can have a meeting about this to pick up some of the points and take the matter forward from there. I beg leave to withdraw the amendment.
“( ) In relation to the processing of personal data to which the GDPR applies, Article 80(2) of the GDPR (representation of data subjects) permits and this Act provides that a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate, under—(a) Article 77 (right to lodge a complaint with a supervisory body);(b) Article 78 (right to an effective judicial remedy against a supervisory authority); and(c) Article 79 (right to an effective judicial remedy against a controller or processor),of the GDPR if it considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.”
Lord Stevenson of Balmacara
My Lords, at earlier stages of the Bill, the Minister and others have been at pains to stress the need to ensure that, whatever we finally do, the Bill should help to build trust between those who operate and accept data and those who provide it—the data subjects. It is important that we look at all aspects of that trust relationship and think about what we can do to make sure that it fructifies. Amendment 184 tries to add to the Bill something that could be there, because it is provided for in the GDPR, but is not there. Will the Minister explain when he responds why article 80(2) of the GDPR is not translated into UK legislation, as could happen? The proposed new clause would provide that,
“a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate”.
I will largely leave the noble Lord, Lord Clement-Jones, to introduce Amendment 185 because he has a new and brief style of introduction, which we like a lot.
Lord Stevenson of Balmacara
It is certainly new to me. He may have been here a lot longer than I have and there have been other occasions where he has been less than fulsome in his contributions. But I am not in any sense criticising him because everything he says has fantastic precision and clarity, as befits a mere solicitor. It is important that we give him the chance to shine on this particular issue as well.
I mentioned what a pleasure it is to have the noble Baroness, Lady Neville-Rolfe, here today, particularly because she will speak very well to the fact that only a few happy months ago we worked on the Consumer Rights Bill, which is now an Act, in which a power was given to private enforcers to take civil action in courts to protect collective consumer rights via an enforcement order. The campaigning consumer body Which? is the designated private enforcer.
Also, in the financial sector, Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the power to present super-complaints to the FCA. The super-complainant system is working very well; one reason why the PPI mis-selling scandal was discovered was as a result of the work of Citizens Advice. These independent enforcers of consumer rights in the traditional consumer sector and in the consumer finance sector exist. Why is there no equivalent status for digital consumer enforcers? That is the question raised by the amendment.
The powers for independent action here are important in themselves and I am sure other noble Lords will speak to that point, but they are also really important at the start of this new regime we are bringing in. With the new Data Protection Bill we have a different arrangement. Far more people are involved and a lot more people are having to think harder about how their data is being used. It makes absolute sense to have a system that does not require too much knowledge or detail, which was aided and abetted by experts who had experience in this, such as Which? and others, and would allow those who are a little fazed by the whole process of trying to raise an action and get things going to have a steady hand that they know will take it on behind them.
The Government will probably argue that by implementing article 80(1) of the GDPR they are providing effectively the same service. That is a system under which an individual can have their case taken up by much the same bodies as would be available under article 80(2). However, when an individual complainant is working with a body such as Which?, we are probably talking about redress of the individual whose rights have been breached in some way and exacting from the company or companies concerned a penalty or some sort of remuneration. One can see in that sense that the linking between the individual and the body that might take that on is important and would be very helpful.
However, there are cases—recent ones come to mind such as TalkTalk, Equifax, Cash Converters and Uber—where data has gone missing and there has been a real worry about what information has escaped and is available out there. I do not think that in those cases we are talking about people wanting redress. What they want is action, such as making sure that their credit ratings are not affected by their data having come out and that they could perhaps get out of contracts. One of the issues that was raised with EE and TalkTalk was that people had lost confidence in the companies and wanted to be able to get out of their contracts. That is not a monetary penalty but a different form of arrangement. In some senses, just ongoing monitoring of the company with which one’s data is lodged might be a process. All that plays to a need to have in law in Britain the article 80(2) version of what is in the GDPR. I beg to move.
Lord Clement-Jones
My Lords, I strongly support Amendment 184. The Minister will have noticed that Amendment 185 would simply import the same provisions into applied GDPR for this purpose. The rationale, which has been very well put forward by the noble Lord, Lord Stevenson, is precisely the same.
I do not know whether the Minister was choking over his breakfast this morning, but if he was reading the Daily Telegraph—he shakes his head. I am encouraged that he was not reading the Daily Telegraph, but he would have seen that a letter was written to his right honourable friend Matt Hancock, the Digital Minister, demanding that the legislation can and should contain the second limb that is contained in the GDPR but is not brought into the Bill. The letter was signed by Which?, Age UK, Privacy International and the Open Rights Group for all the reasons that the noble Lord, Lord Stevenson, put forward. The noble Lord mentioned a number of data breach cases, but the Uber breach came to light only last night. It was particularly egregious because Uber did not tell anybody about it for months and, as far as one can make out from the press reports, it was a pay-off. There is a very important role for such organisations to play on behalf of vulnerable consumers.
The Which? survey was particularly important in that respect because it showed that consumers have little understanding of the kind of redress that they may have following a data breach. A recent survey shows that almost one in five consumers say that they would not know how to claim redress for a data breach, and the same proportion do not know who would be responsible for helping them when data is lost. Therefore the equivalent of a super-complaint in these circumstances is very important. To add to that point, young people are often the target of advertising and analysis using their personal data. I think they would benefit particularly from having this kind of super-complaint process for a data breach.
I hope very much that the Government, who I believe are conducting some kind of review, although it is not entirely clear, will think about this again because it is definitely something we will need to bring back on Report.
Lord Ashton of Hyde
The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.
To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.
Lord Stevenson of Balmacara
I thank the Minister for his honesty and transparency—but not for the content. Like the noble Lord, Lord Clement-Jones, I find this very odd. Is it not true that when early consultations on the Bill were carried out, the consultation included the possibility that article 80(2) would be implemented—in other words, that the derogation would be accepted—and responses were gathered on that basis? That is what we were told by some of those who were consulted. Therefore, the Government must have had a formal change of mind, either based on their own whim or because they received substantial contributions from very important people who felt that these things should not go forward. I would be interested to follow that up with the Minister, perhaps in another meeting.
I do think this is very strange. Here is an opportunity to win friends, get people on side and offer them something that will be really helpful. We have heard about children; and there are other vulnerable people who are not experts in these areas, for whom a little extra help was promised by the Government because they felt that that would be right. The idea that, in some senses, this would empower a whole industry of people to manufacture claims to get at data holders seems completely ridiculous.
If we look at the comparable arrangements in the consumer field that I tried to draw the Minister’s attention to, we see very strict rules about the levels at which super-complaints can be made: they must be proportionate, relevant and have evidence of support from a wider group of people that allows them to go forward. We are not talking about an open-ended commitment—that would be daft—but when we look at the best way to combat bad practice that affects particular vulnerable groups and is being practised by people who should not do it, this must be in our armoury. We will certainly come back to this—but in the interim, I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 20th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Paddick (LD)
My Lords, I will speak to Amendment 153 in my name and that of my noble friend Lord Clement-Jones. Section 17(1) of the Data Protection Act 1998 states that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner. Effectively, processing personal data without registering and without paying a fee is, at the moment, a strict liability criminal offence. This ensures that all data controllers are aware of their most basic obligations and that a central register of who is processing personal data is maintained. It also provides a simple means of collecting notification fee income.
We have been made acutely aware during the debates on the passage of the Bill of the increased responsibilities that will be placed on the Information Commissioner and the need for her to have additional resources. This is one way of ensuring that she has those resources, provided she is able to keep the fees raised and does not have to hand over large amounts of those fees to the Treasury.
This is an important protection for data subjects, and the Government have asserted that they are strengthening the law to protect data subjects. If the requirement to register is removed, as will happen without this amendment, this will weaken those protections. In addition to protections provided by registration and the increased awareness of the other requirements around data protection as a result of registering, it allows for the Proceeds of Crime Act to be used to confiscate money generated by the unlawful processing of personal data by those who are not registered. This would be lost if this amendment is not adopted.
The amendment seeks to maintain the current position by requiring the Information Commissioner to register all data controllers. However, unlike the current requirement for more detailed information, the amendment requires that the data controller provides only the minimum of information—such as his name and address; if he has nominated a representative for the purposes of the Act, their name and address; and the principal activity or activities undertaken by the data controller.
The Minister may wish to pray in aid article 57(3) of the GDPR, which states:
“The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer”.
We argue that this is a notification fee, not a task performed by the Information Commissioner, and a fee that would be levied on the data controller and not the data protection officer. I beg to move.
Lord Stevenson of Balmacara (Lab)
My Lords, I shall speak to Amendment 153ZA in my name and that of my noble friend Lord Kennedy of Southwark. I support the amendment tabled by the noble Lords, Lord Clement-Jones and Lord Paddick, which is important. We look forward to hearing what the Minister says in response.
Our amendment is in two halves. The first probes the question of what happens in cases where the data controller relies on derogations or limitations provided for under the GDPR that have been brought, directly or indirectly, into UK law through the existence of the GDPR after 25 May 2018 or through secondary legislation, whichever is appropriate. It asks whether there is a need for a bit more guidance on the commissioner’s duties, in that she may wish to look at the proportionality of such reliance by the data controller—in other words, whether it is appropriate relative to the overall aims and objectives placed on the data by the data controller—and whether it is appropriate under the GDPR or its subsequent limitation or derogation. It also asks whether adequate systems are in place to make sure the rights of data subjects are safeguarded. This may seem to be gold-plating, but it is important to understand better how the mechanics of this works in practice. These are very important issues.
The second part returns to an issue we touched on earlier in Committee, but about which there is still concern. We have again had representations on this issue. The amendment is framed as a probing amendment, but it comes back to familiar territory: what will happen in later stages of the life of the Bill as we leave the EU and are required to make sure our own legislative arrangements are in place? At present, the GDPR has an extraterritorial application so that even when companies are not established in the EU they are bound by the GDPR where they offer goods or services to EU citizens or monitor their behaviour. As well as requiring that lawful processing of data is not excessive, data controllers are required to keep data secure.
So far, so good. The important point is that under the GDPR at present—there is no derogation on this—it is necessary for such companies to make sure they have what is called a representative in the EU. This would be a physical office or body, staffed so that where EU citizens wish to take up issues that affect them, such as whether the data is being properly controlled or whether it has been processed legally, contact can be made directly. But under the Bill as I understand it, and I would be grateful if the Minister could confirm what exactly the situation is, after the applied GDPR comes in the requirement for a company to make sure it has a representative in the UK—in the GDPR, it is for a company to have a representative in the EU—will be dropped. If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty if there is no representative, such as in a situation with different foreign laws, where an individual would probably rely on an intermediary who may not see non-nationals as a sufficiently high priority. If things do not work out, the individual may have to have recourse to law in a foreign court. This will make it very difficult to enforce new rights.
Is it right that the Government will not require foreign companies operating in the UK after Brexit to have a representative? If it is, how will they get round these problems? I look forward to hearing what the Minister says on these points.
Baroness O’Neill of Bengarve (CB)
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
Lord Stevenson of Balmacara
My Lords, I want to come back to an issue relating to the situation post Brexit: companies operating in the UK, for which a representative will not be required. I listened to the Minister very carefully and I understand what he is saying, but I take it that, post Brexit, he is basically relying on the force of the Information Commissioner’s personality and her ability to maintain her current relationships and build on them. As such, when taking issues abroad, individuals in the UK will not have any statutory provision, as they currently do, but will have to rely on the informal mechanisms the Minister mentioned and their own resources. He has failed to answer the question whether that is a good situation to be in as we progress through the Bill, but I will read what he said more carefully and come back to him later.
Lord Paddick
My Lords, I thank the noble Baroness, Lady O’Neill of Bengarve, for her contribution—we will look at that should we bring back the amendment on Report. I also thank the noble Lord, Lord Stevenson of Balmacara, for his support for the amendment.
The Minister said that provision in the 1998 Act requiring all data controllers to be registered was an important part of data protection, yet his argument for not continuing with that seemed to be that it would be difficult to maintain a register with the numbers now involved. Either the register is an important contribution to data protection or it is not. In any event, we should bear in mind that a charge could be levied. The Minister suggested that a register would not be a proportionate use of the Information Commissioner’s resources, but those resources could significantly increase. If the existing law were enforced, it is estimated that an additional £1 billion in income would be possible.
On a detailed central register, I said when introducing the amendment that the detail suggested would be far less than is currently the case. However, we will reflect on what the Minister said. For the moment, I beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, the amendment is in my name and that of my noble friend Lord Kennedy. Clause 117 allows the commissioner to inspect personal data held on any automated or structured system where the inspection is necessary,
“to discharge an international obligation of the United Kingdom”.
Before exercising the power, the commissioner under subsection (4) must by written notice inform a controller of her intention. However, this does not apply if the case is “urgent”. Since in every other aspect of the Bill phrases such as “urgent” are usually defined, uniquely in this case it is not, so the amendment is merely to allow the Minister to read into record those cases that he might consider to be urgent. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.
In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.
Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.
As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.
Lord Stevenson of Balmacara
I thank the Minister; he adequately covered the points and I am happy to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, the amendments in this small group are probing in nature. Amendment 153C is in my name and that of my noble friend Lord Kennedy. Clause 119 places an obligation on the commissioner to publish and keep under review a data-sharing code of practice that would contain guidance on data sharing and good practice, as the name suggests. This is good, we talked about it in some detail in earlier sittings of the Committee and we have no problems with it. It continues a practice that we are well aware of and there are no particular issues arising from it, provided that it continues to be comprehensive and to provide the sort of advice that data controllers and data subjects will need as we go forward.
Amendment 153D raises the question of whether a 40-day approval process for codes should apply, in order to make it clear that codes under Clauses 119 and 120 are subject to parliamentary scrutiny and that the 40-day approval period would fit in with the procedures of Parliament. As I said, this is a probing amendment and I would be grateful to have the comments of the Minister in due course.
Amendment 154A concerns the statement that the commissioner will review and revise the codes regularly, or keep each code under review. There is no specification of the timescale or the frequency of that. I suspect that the answer will be that it will be as seen fit by the Information Commissioner—but if the Minister can shed some light on this, it would be helpful.
Finally, Amendment 154B draws attention to Clause 119(2), which says, at the top of page 65:
“Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code”.
We have already touched on this, and the procedure is not explained. I would like to confirm that, since this matter may be of interest to Parliament, it will be by the affirmative procedure. I look forward to hearing a response and I beg to move.
Baroness Chisholm of Owlpen (Con)
My Lords, as my noble friend and I have mentioned previously, one of the Government’s primary concerns is to ensure that organisations of all sizes are supported in the transition to the new regime. To that end, the Bill maintains the requirement in the Data Protection Act 1998 for the Information Commissioner to publish codes of practice on data sharing and direct marketing.
When these codes are first published, they will rightly be subject to parliamentary scrutiny, although of course “first published” is slightly misleading as almost identical codes have been, or will have been, published under the 1998 Act before the Bill reaches Royal Assent. Either way, Amendments 153C and 153D seek to ensure that any future amendments to the data-sharing code of practice or the direct marketing code of practice are also subject to parliamentary scrutiny. I understand and appreciate the sentiment behind the amendments. I am happy to reassure the noble Lord that under Clause 121(8) it is already the case that amendments to the code are subject to parliamentary scrutiny.
Amendment 154A would require the commissioner to review the codes of practice at least once every three years. However, I point out to the noble Lord that the Bill already requires the commissioner to keep the codes of practice under review while they are in force and the Government do not consider that specifying a three-year timeframe between reviews would add any benefit. Indeed, it might create the misleading impression that the code should be reviewed only once every three years, when in fact it is a continuous process.
Finally, I turn to Amendment 154B. The Bill makes provision for the Information Commissioner to publish additional codes of practice beyond the two codes on data sharing and direct marketing. The noble Lord’s amendment would require any such additional codes to be subject to the affirmative resolution procedure. When preparing such codes, the commissioner must first consult trade associations, data subjects and other stakeholders the commissioner deems appropriate. The Government’s view is that, given the requirement for advance consultation with interested parties, and the fact that any regulations would simply place the commissioner under a duty to issue a code of practice providing practical guidance on the processing of specified classes of personal data of action, the negative resolution procedure remains appropriate.
To sum up, first, the purpose of the two codes of practice is to provide practical guidance to data controllers on the proper application of the data protection legislation; as such, they do not alter the law. Secondly, the procedure used to approve codes and amendments to codes is the same as found in Sections 52A and 52AA of the current Data Protection Act, the latter of which was inserted only earlier this year by the Digital Economy Act. That also means that the Delegated Powers and Regulatory Reform Committee of your Lordships’ House has considered this matter twice in the past year, and we are not aware that it had any concerns. I hope that has reassured the noble Lord and he feels able to withdraw his amendment.
Lord Stevenson of Balmacara
My Lords, I am grateful to the Minister for her comments. She always sounds so reassuring, it is very hard to be critical. She did a rather better job of summarising what my amendments are about than I did—and I say that without any rancour or any concern. I am very grateful to her on all these counts. I beg leave to withdraw the amendment.
“Personal data ethics code of practice
(1) Within six months of the passing of this Act, the Commissioner must prepare an ethics code of practice for data controllers.(2) The code must include a duty of care from the data controller and the processor to the data subject.(3) The code must provide best practice for data controllers and processors on measures which, in relation to the processing of personal data—(a) reduce vulnerabilities and inequalities;(b) protect human rights;(c) increase the security of personal data;(d) ensure that the access, use and sharing of personal data is transparent, and the purposes of personal data processing are communicated clearly and accessibly to data subjects.(4) The code must consider—(a) how to support data processing which has clear benefits for users and members of the public;(b) the effectiveness of measures to seek the consent of users to the collection and use of their personal data;(c) the risks and limitations of new technologies, ensuring that there is sufficient human oversight.(5) The code must also provide guidance on—(a) default privacy settings;(b) data minimisation standards;(c) presentation and language of terms and conditions;(d) transparency of paid for activity, such as product placement and marketing;(e) sharing and resale of data;(f) veracity and accuracy of information;(g) strategies used to encourage extended user engagement;(h) user reporting and resolution processes and systems;(i) responses to unintended consequences of technological advances in the processing of personal data; and(j) any other aspect of design that the Commissioner considers relevant.(6) Where a data controller or processor does not follow the code under this section, the data controller or processor is subject to a fine to be determined by the Commissioner.(7) Before preparing the code of practice and prior to every revision, the Commissioner must consult the Secretary of State and relevant stakeholders.(8) The Secretary of State must bring the code of practice into force by regulations made by statutory instrument. (9) A statutory instrument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”
Lord Stevenson of Balmacara
My Lords, with so many codes of practice flying around it would not be hard to lose one in the crowd, but this one stands out. With this amendment, we are suggesting to the Government that there is a need at the top of the pyramid for a code of practice which looks at the whole question of data ethics and morality. We discussed this topic in earlier sittings of the Committee and I think we were of one mind that there was a gap in the overall architecture of the organisations supporting data processing, which concerned us, in the sense that there was a need for an expert body.
The body could be some sort of combination along the lines of the HFEA or the Committee on Climate Change. It would have a duty to look at the moral and ethical issues affecting data collection and use, and be able to do some blue-sky thinking and to provide a supervisory approach to the way in which thinking on these matters would have to go. We are all aware, as has been mentioned many times, that this is a fast-moving technology in an area full of change where people feel a bit concerned about where their data is and how it is being looked at. They are worried that they do not have sufficient control or understanding of the processes involved.
The amendment suggests to the Government a data ethics code of practice which I hope they will look at with some care. It would begin to provide a hand of support to individuals who are concerned about their data and how it has been processed. Under this code of practice the commissioner could set out the moral and ethical issues, rather than the practical day-to-day stuff. It would focus on duties of care and need to provide examples of where best practice can be found. It would increase the security of personal data and ensure that the access to its use and sharing were transparent, and that the purposes of data processing were communicated to data subjects.
Some codes of this type already exist. I think that the Royal Statistical Society has been behind a number of codes on the use of our overall statistics, such as that operated within the OSS. Having read that code, I was struck by how apposite it was to some of the issues faced in the data-processing community. Some of the wording of this amendment comes from that, while other wording comes from think tanks and others who are working in this field. It will also come as no surprise to the Committee that some of the detail in the code’s latter subsections about privacy settings, minimisation standards and the language of terms and conditions also featured in the proposed code recommended to the Committee by the noble Baroness, Lady Kidron, in relation to children’s use of the internet and how their data is treated. The amendment meets other interests and examples of activity. It seems to fulfil a need, which is becoming more pressing every day, and is ambitious in its attempt to try to make sure that whatever regulatory and statutory provisions are in place, there will also be a wider dimension employed, which I think we will increasingly be part of.
I do not expect the Government to accept the amendment tout court, because it needs a lot more work. I fully accept that the drafting is a bit rough at the edges, despite the fact that we spent a lot of time in the Public Bill Office trying to get it right. I have already explained that I am not very good at synthesising in the way that the Bill team obviously is. I have no doubt that when he responds the Minister will be able to encapsulate in a few choice words what I have been struggling to say over the past three or four sentences—he nods, so it is clearly going to hit me again. I hope that he will take away from this short debate that this is an issue that will not go away. It is an issue that we need to address, and it may be that the new body, which was, I think, generally accepted by the Committee as something that we should move to in short order, might take on this as its first task. I beg to move.
Lord Clement-Jones (LD)
My Lords, the noble Lord, Lord Stevenson, is too modest about his drafting—I think that this is one of the most important amendments to the Bill that we have seen to date. I am just sorry that we were not quick enough off the mark to put our name to it. I do not know which hand the noble Lord, Lord Stevenson, is using—there seem to be a certain number of hands involved in this—but anybody who has read Jonathan Taplin’s Move Fast and Break Things, as I did over the weekend, would be utterly convinced of the need for a code of ethics in these circumstances. The increasing use of data in artificial intelligence and algorithms means that we need to be absolutely clear about the ethics involved in that application. The noble Lord, Lord Stevenson, mentioned a number of codes that he has based this amendment on, but what I like about it is that it does not predicate any particular code at this stage. It just talks about the desirable architecture of the code. That makes it a very robust amendment.
Like the noble Lord, I have looked at various other codes of ethics. For instance, the IEEE has rather a good code of ethics. This is all of a piece with the stewardship council, the data ethics body that we debated in the previous day in Committee. As the Royal Society said, the two go together. A code of ethics goes together with a stewardship council, data ethics committee or whatever one calls it. You cannot have one without the other. Going forward, whether or not we agree today on this amendment, it is very clear that we need to keep coming back to this issue because this is the future. We have to get it right, and we cannot prejudice the future by not having the right ethical framework.
Lord Ashton of Hyde
I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.
Lord Stevenson of Balmacara
I thank all noble Lords who have contributed to this debate. It has been a short but high-quality one that has done a lot to tease out some of the issues behind the amendment. I am grateful to the noble Lord, Lord Clement-Jones, for his kind words about what I was saying, but also for reminding me that there were other groups working on this. I absolutely agree that the IEEE is one of the best examples of thinking on this; it may come from a strange source, in the sense that it is a professional body involved more with the electronic side of things, but the wording of the report that I saw was very good and bore very firmly on the issues in this amendment.
So where are we? We seem to be sure that a body will be set up that will be at least advisory in terms of the issues that we are talking about, although I think the Minister was leaving us with the impression that the connection would be made outside the Bill, not within it. That is possibly a bit of a mistake; I think a case is now developing, along the lines set out by my noble friend Lord Puttnam, that we need to see both sides of this in the Bill. We do not need to see the firm regulatory action, the need to comply with the law and the penalties that can be applied by the regulator, the Information Commissioner, but we need to see a context in order to build trust and allow people to understand better what the future growth, change and trends in this area will be, because they are concerned about them. I do not think you can do that if these bodies are completely separate. I suspect we need to be surer about how the connections are to be made, and we will gain if there is in fact a proper connection between the two.
If the Information Commissioner is not to be a moral philosopher—who needs moral philosophers when there are so many around?—she will certainly need to have good advice, which can come only from expertise gathered around the issues that we have been talking about. That is not the same as making sure that she is robust about people applying the law; the difference there is the reason why we want to do that.
The other half of this equation is that it may well be fine for an advisory body to opine about where the moral climate is going and where ethics might take you in practice, but if the companies concerned are not practising what they are hearing, we will be no further forward. Surely a code will have to be devised, whether now or later, to make sure that the lessons learned, the information gathered and the blue sky thinking that is around actually bite on those who are affecting our individuals—whether they be young, vulnerable or adult—and that they are fully compliant with all the aspects of what they have signed up to. We will need to come back to this but, in the meantime, I beg leave to withdraw the amendment.
“( ) Within the period of three months, beginning with the day on which this Act is passed, the Commissioner must specify in guidance the amounts that constitute a reasonable fee in relation to subsection (1).”
Lord Stevenson of Balmacara
My Lords, although the amendment’s wording is narrow, it is very much a probing amendment. I hope we will be able to range a bit further on the funding and the structure of the Information Commissioner’s Office, which depends on its ability to raise funding to survive. I will make various points on that.
In some senses the Information Commissioner’s Office is a rather strange regulator, in terms not of its functions, but of the way it has survived a number of possibilities for change and development that have been applied to other sectors of British industry, particularly those relating in some senses to data processing. If noble Lords compare Oftel, the IBM, to some extent the BBC and what has now emerged as Ofcom, they will see a change from the original structure of regulators, which were very largely bodies set up to make sure the previously public sector nature of an activity that had been privatised was done in a way that did not exclude the public interest. These regulators were largely economic in origin and have only gradually added social regulation to their parts.
In a sense the ICO’s journey is different. First, the way these other regulators have moved has not been followed, so the change from a one-off individual dealing with economic and a limited amount of social regulation to being partnerships or boards with a range of individuals appointed to take over various functions—Ofcom is perhaps the easiest example to use—has not been followed. We still have a single regulator which is independent and reports to Parliament, and I understand the structure to be that of a corporation sole, which is an issue that we might want to reflect on.
Lord Ashton of Hyde
There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.
Lord Stevenson of Balmacara
I am grateful to the Minister for his full response to the group of amendments. I shall look at it carefully in Hansard before we come back on it. Concerns were expressed in other Committee sittings about the burden placed on charities and SMEs, many of which will find the costs they are now required to pay an additional burden—we have seen some figures suggesting that there will be quite a big drag on some smaller companies. The consultation should at least have identified that concern and the Government will be aware of it. If the three-tier system is to be capable of looking at volumes—the implication of what the Minister said is that big international companies will pay more because the volume of the data they process is much greater—there will be equity in that. We will look at how that progresses, but we seem to be on the right lines.
By and large, the thrust of what I was trying to say is that there needs to be a modern response to this system in terms of what is available out there in the marketplace. If a company is paying Ofcom for the regulatory function it provides, it should not be that different if it is also paying the Information Commissioner for what services it provides, because they are two sides of the same coin. On the DPRRC amendment, I note what the noble Lord said and look forward to his further discussion with the Committee on that point. On the broader question about the ICO, there were two points that were not responded to, but perhaps we can look at that again offline.
The great advantage of the new type of regulator exemplified by Ofcom—there are many more examples—is that it is trusted, not just by government but also by industry, to set its own fees and charges in a businesslike way. Indeed, we get responses all the time about how well Ofcom does in satisfying what is required. Of course, if there is a problem about fees—and the Minister said he is on to it—one solution is to ensure that the ICO has that freedom to set the fees and charges appropriate for the work that needs to be done. I think she is probably in a better place to do that than anyone else.
Data Protection Bill [HL]
Lord Stevenson of Balmacara ExcerptsMonday 13th November 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Clement-Jones (LD)
My Lords, the noble Earl, Lord Kinnoull, has clearly and knowledgeably introduced the amendment, which I strongly support. He made clear through his case studies the Bill’s potential impact on the insurance industry, and I very much hope that the Minister has taken them to heart. Processing special category data, including health data, is fundamental to calculating levels of risk, as the noble Earl explained, and to underwriting most retail insurance products. Such data is also needed for the administration of insurance policies, particularly claims handling.
The insurance industry has made the convincing case that if the implementation of the Bill does not provide a workable basis for insurers to process that data, it will interrupt the provision to UK consumers of retail insurance products such as health, life and travel insurance, and especially products with health-related consumer benefits, such as enhanced annuities. The noble Earl mentioned a number of impacts, but estimates suggest that, in the motor market alone, if this issue is not resolved, it could impact on about 27 million policies and see premiums rise by about 3% to 5%.
There is a need to process criminal conviction data for the purposes of underwriting insurance in, for instance, the motor insurance market. Insurers need to process data to assess risk and set the prices and terms for mainstream products such as motor, health and travel insurance.
The key issue of concern is that new GDPR standards for consent for special category data, including health, such as the right to withdraw consent without experiencing detriment, are incompatible with the uninterrupted provision of these products. As the noble Earl, Lord Kinnoull, has clearly stated, there is scope for a UK derogation represented by these amendments, which would be in the public interest, to allow processing of criminal conviction and special category data when it is necessary for arranging, underwriting and administering insurance and reinsurance policies and insurance and reinsurance policy claims. I very much hope that the Minister will take those arguments on board.
Lord Stevenson of Balmacara (Lab)
My Lords, the noble Earl, Lord Kinnoull, has done us a great favour in introducing with great skill these amendments, which get to the heart of problems with some of the language used in the Bill. We are grateful to him for going through and picking out the choices that were before the Government and the way their particular choices seem to roll back some of the advances made in the insurance industry in recent years. I look forward to the Minister’s response.
Our probing Amendment 47 in this group is on a slightly higher level. It is not quite as detailed—nor was it intended to be—as the one moved by the noble Earl. We were hoping to raise a more general question, to which I hope the Minister will be able to respond. Our concern, which meets the concerns raised by the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, is where the Government want to get to on this. It must be true that insurance is one of the key problems facing many people in our country. It is the topic that will be discussed in the QSD in today’s dinner break as it bears heavily on financial inclusion issues. So many people in this country do not take out insurance, personal or otherwise, and suffer as a result. We have to be very careful as we take this forward as a social issue.
However, an open-ended derogation to allow those who wish to gather information to make a better insurance market surely also raises risks. If we are talking about highly personal profiling—we may not be because there are constraints in the noble Earl’s amendment—it would lead to a more efficient and cheaper insurance industry, but at what personal cost? For instance, if it is possible to pick up data from those who perhaps unadvisedly put on Facebook or Twitter how many times they get drunk—I am sure that is not unusual, particularly among the younger generation—information could be gathered for a profile that ought to be taken into account for their life, health or car insurance. I am not sure that we would be very happy with that.
Underlying our probing amendment is to ask the Minister to respond—it may be possible by letter rather than today—on protections the Government have in mind. What sort of stock points are there that we can rely on as we move forward in this area? As processing becomes more powerful and more data is available, pooled risks are beginning to look a little old-fashioned. The old traditional model under which insurance is gathered is that the more the pool is expanded, the risks are spread out more appropriately across everybody. The trouble is that the more we know, we will be including people who are perhaps more reckless and therefore skewing the pooling arrangements. We have to be careful about that.
There is obviously a social objective in having a more efficient and effective insurance market but this ought to be counterbalanced to make sure that those people who are vulnerable are not excluded or uninsurable as a result. The state could step in, obviously, and has done so, as we have been reminded already in our Committee discussions about the difficulty of getting insurance for those who build on flood plains. However that is not the point here. This is about general insurance across the range of current market opportunities being affected by the fact that we are not ensuring that the data gathered is both proportionate and correct in terms of what it provides for the individual data subjects concerned.
Lord Ashton of Hyde
I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.
We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.
Lord Stevenson of Balmacara
I followed the Minister quite well until the last exchange, where I got a bit confused. Is he saying in some sense that there may be a case for two types of derogation: that that which applies to compulsory insurance—there are strong public interest reasons why it should be continued—might be done under one derogation and the rest raised as more specific items, as suggested by the noble Earl?
Lord Ashton of Hyde
We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.
Lord Clement-Jones
I must say how delighted I am that on this occasion we had the noble Lord advocating his own amendment. I was nearly in the hot seat last week, but we have just avoided it. I was delighted at his powerful advocacy because of course the noble Lord is extraordinarily well informed on all matters to do with sport, and this goes to the heart of sport in terms of preventing cheats who prevent the rest of us enjoying what should be clean sport, however that may be defined. All I have to do is pick out one or two of the elements of what the noble Lord said in my supportive comments.
There is the fact that neither “doping” nor “sport” is defined in the Bill, as the noble Lord pointed out. There is no definition of the bodies to be covered by paragraph 21, which is extremely important. He also made an extraordinarily important point about UKAD. Naming UKAD in the Bill, as the amendment seeks to do, would add to its authority and allow it to carry out all the various functions that he outlined in his speech. If it is necessary to add other bodies, as he suggested, that should of course be considered.
The noble Lord’s reference to performance-enhancing substances, which again are mentioned in the amendment and included in the World Anti-Doping Code, ties the Bill together with that code and was very important as well. Finally, the point that he made about gender and the substances used in connection with gender change was bang up to the minute. That, too, must be covered by provisions such as this. So if the Minister is not already discussing these issues with the noble Lord, Lord Moynihan, I very much hope that he is about to and will certainly do so before Report.
Lord Stevenson of Balmacara
My Lords, once again your Lordships’ House is very grateful to the noble Lord, Lord Moynihan, for raising this issue and, as the noble Lord, Lord Clement-Jones, said, for doing so in such a comprehensive way. It is in the context of the much wider range of issues that the noble Lord, Lord Moynihan, has been pursuing regarding how sport, gambling and fairness are issues that all need to be taken together. We have been supporting him on those issues, which need legislation behind them.
Noble Lords may not be aware that we have been slightly accused of taking our time over the Bill. I resist that entirely because we are doing exactly what we should be doing in your Lordships’ House: going through line-by-line scrutiny and making sure that the Bill is as good as it can be before it leaves this House. We saw the noble Lord, Lord Moynihan, at the very beginning of Committee and he then dashed off to Australia to do various things, no doubt not unrelated to sport. He has had time to come back and introduce these amendments—but, meanwhile, the noble Lord, Lord Clement-Jones, and I were debating who was going to pick the straw that would require us to introduce them. We were very lucky not to have to do so because they were introduced so well on this occasion.
Our amendment in this group is a probing amendment that picks up on some of the points already made. It raises the issue of why we are restricting this section of the Bill to “sport”—whatever that is. If we are concerned about performance enhancement, we have to look at other competitive arrangements where people gain an advantage because of a performance-enhancing activity such as taking drugs. For instance, in musical competitions, for which the prizes can be quite substantial, it is apparently possible to enhance one’s performance—perhaps in high trills on the violin or playing the piano more brilliantly—if you take performance-enhancing drugs. Is that not somehow seeking to subvert these arrangements? Since that is clearly not sport, is it not something that we ought to be thinking about having in the Bill as well? I say that because, although the narrow sections of the Bill that relate to sport are moving in the right direction, they do not go far enough. As a society, we are going to have to think more widely about this as we go forward.
Lord Maxton
I am slightly confused by what is a performance-enhancing drug. We have seen athletes and other sportsmen banned in this country for taking what I would call non-enhancing drugs: in other words, cannabis or whatever it might be. In that case they are not performance-enhancing drugs but the reverse of them—yet people can be banned even if taking them is deemed legal in the country where they do so. Even if it is legal to take cannabis, the drug can still be deemed a banned drug by the anti-drug authorities.
Lord Stevenson of Balmacara
My noble friend is quite right. He has obviously been careful to make sure that he has no personal experience of what he talks about and I would like to make it clear that I have none, either. But it is a very tricky area and we are wrong just to dance around it with the idea that we are somehow doing something important in relation to a particular aspect of drug enforcement.
To do this properly, we need a much clearer approach. I realise that I am in danger of rising above the detail here and going back to my high plain of intellectual approach to the Bill for which I have already been criticised—but I hope that when the Minister responds we can get somewhere on this. A meeting on the particular narrow points raised by the government amendment and by the noble Lord, Lord Moynihan, is required. It would be helpful to see the context in which this might operate. I would be happy to attend such a meeting should that be the case.
Data Protection Bill [HL]
Lord Stevenson of Balmacara Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Lucas (Con)
My Lords, I thank the Open Rights Group for pushing for this amendment, and particularly the Public Bill Office for getting it into a form that is acceptable in the Bill. This amendment addresses age verification for accessing pornography; currently there are no specific safeguards. However, sexual preferences are very sensitive, so this amendment allows—it does not compel—regulation at a higher level than is currently the case. The pornography industry has a woeful record of regular, large-scale breaches of data security and I do not believe that we should trust it. Even if we think we might trust the industry, we ought to be in a position where we do not have to. Our young people deserve proper protection regarding some very sensitive data.
I believe that we should take this seriously—my experience of young boys of 14 and 15 is that they are being exposed to high-grade pornography on a large scale, something that in the context of their relationships with women later in life we may want to think about carefully. Therefore, surely we should take the opportunity to give ourselves the powers to take action, should we decide that that is necessary, rather than having to come back to primary legislation with all the time and delay that that involves. We can anticipate this difficulty—we can see it coming down the tracks—so let us prepare for it. I beg to move.
Lord Stevenson of Balmacara (Lab)
My Lords, I am completely discombobulated because the noble Lord, Lord Lucas, has hidden himself on the far right-hand side of the Chamber, which makes it very difficult to engage with him—but I am sure we can get over it. He is also incredibly skilful to have got an amendment of this type into the Bill, because we were looking at this issue as well but could not find a way through. I would like a tutorial with him afterwards about how to get inside the interstices of this rather complicated legislative framework.
I must say that I have read his amendment several times and still cannot quite get it. I shall therefore use my usual strategy, which is to come in from an aerial height on a rarefied intellectual plane and ask the Minister to sum up in a way that I can understand—but under the radar I will ask for three things. First, we spent a lot of time on this in the Digital Economy Act. It is an important area and it is therefore important that we get it right. It would be quite helpful to the Committee, and would inform us for the future, if we could have a statement from the Dispatch Box or a letter saying where we have got to on age verification.
I hear rumours that the system envisaged at the time when the Digital Economy Act was going through has not been successful in practice. I think that we have heard from the Minister and others in earlier groups in relation to similar topics that in practice the envisaged age verification system is not being implemented as it stands. What is happening is that the process of trying to clear up this area and making sure that age verification is in place is actually being carried out on a voluntary basis by those who run credit cards and banking services for the companies involved and for whom a simple letter from the regulator, in this case the BBFC, is sufficient to cause them to cease to process any moneys to the sites concerned—and, as a result, that is what is happening in the pornography industry. That may or may not be a good thing—it is probably too early to say—but it was not the intention of the Bill. That was to have a system that was dependent on a proper age verification system and to make the process open and transparent. If it is different, we ought to know that before we start considering these areas.
My third point is that we would rely on Ministers to let us know whether it is necessary to return to this issue in the sense of the information that we hope will be provided. It is only at that level that we can respond carefully to what the noble Lord said—although I have no doubt that it is a very important area.
Lord Elton (Con)
My Lords, perhaps I may intervene between the two Front Benches. I wish to ask my noble friend on the Front Bench not to say—should he be tempted to—that this simply will not work, even if he explains why in great detail, but to say whether what the amendment tries to do is worth doing and, if so, how it can be achieved.
“Right to be informed of the commercial exploitation of personal data
(1) Data controllers must notify data subjects of all intended or actual commercial exploitation of their personal data.(2) The notification under subsection (1) must be made—(a) at the time when the data subject consents to their personal data being processed by the data controller,(b) before commercial exploitation takes place, if this is more than six months after the notification in paragraph (a), and(c) every six months thereafter if the commercial exploitation is ongoing.(3) Notifications under this section must include—(a) the primary uses to which the personal data will be put, and(b) the gross revenues the data controller expects to receive through the exploitation of that personal data.”
Lord Stevenson of Balmacara
My Lords, I was not referring to this amendment specifically in commenting on Amendment 71ZA, but we had difficulty getting this amendment in scope, so as to be in line with our aspirations and what we wanted to discuss today.
Amendment 71A would introduce an individual right for data subjects to be informed by data controllers when there is an actual or intended commercial exploitation of their personal data. Machine learning will allow data companies to get a lot of value out of people’s data—indeed, it already does. It will allow greater and more valuable targeting of advertisements and services on a vast scale, given the way that modern data platforms work. This skews further the balance of power between those companies and the individuals whose data is being exploited.
One could probably describe the current relationship between people and the data companies to whom they give their data as rather unsophisticated. People hand it over for a very low value, as in a bartering service or crude exchange—and, as in a barter economy, it cannot be efficient. This amendment will test whether we can get more power into the hands of the people who make the exchange to make the market function better. The companies’ position is completely the reverse: it is almost that of a monopsony, although as a technical term monopsonies are those situations in which dominant companies set a price for the market, whereas in this case there is no price. It is interesting to follow that line of thought a little further because, where there are monopsonies, the normal remedy put forward by those involved is to publish a standard price list. That improves choice to the point that people are not exploited on the price they pay; it is just a question of choice on quality or service, rather than the price. That at least protects individuals to some extent against the dominant company exploiting control.
The essence of this amendment is an attempt to try to give power back to the people whose data is being used. We are talking about very significant sums of money. I gather from a recent article in the Guardian that the top price you can get for your data—although I am not sure whether “price” is the right word here; “value” might be better—is about $14 each quarter for a company such as Facebook. If you compare that across the world, in the Asia-Pacific region it is worth only about $2. There is a variation, and the reason is the ability to exploit some form of advertising revenue from individual data, so the US, where the highest prices are going to be available, was worth about $2.8 billion in advertising revenue to Facebook last quarter while the second-biggest Facebook market, Europe, was worth only about £$1.4 billion, which is about half. You can see how the prices would follow through in terms of the data. We are talking about quite a lot of resource here in terms of how this money flows and how it works.
The process of trying to seek the money has already started. Some companies are now trying to reverse the direction of travel. They go to individuals through the web and offer them the chance to connect all their data together across the social media companies in which they already have it. The companies then value it and try to sell it on behalf of the individuals to the companies concerned. That is obviously the beginning of a market approach to this, which is where this amendment is centred.
I mentioned that I had difficulty getting what I wanted in the scope of the Bill. I think I have mentioned this before, but it seems to us that we do not yet have the right sense of what people’s data represent in relation to the companies that seek to use it. One suggestion we have had is that we might look to the creative industries—not inappropriately since this is a DCMS Bill—and think of it as some form of copyright. If it were a copyright—and it may or may not be possible to establish one’s personal data in a copyright mode—we would immediately be in a world where the data transferring from the individual to the company would be not sold but licensed, and therefore there would be a continuing sense of ownership in the process in which the data is transferred. It would also mean that there would have to be continuing reporting back to the licence holder for the use of the data, and we could go further and expect to follow the creative industries down the track which they currently go. The personal copyright would then have value to the company and there is a waterfall, as they call it, of revenue exploitation so that those who hold the copyright might expect to earn a small but not insignificant amount from it. We begin to see a commercial system, more obviously found in other areas of the marketplace, but it relates to the way in which individuals would have a value in relation to their data, and there might even be a way in which that money could be returned. If you were in that happy situation, what would you do with the money? One would hope that it would be useful to some people, but it might also be possible to accumulate it, perhaps through a collecting society, and see it invested in educational work or improving people’s security in relation to their data, for instance. There are many choices around that.
Having said all that about copyright, I am not particularly wedded to it as a concept because there are downsides to copyright, but it is an issue worth exploring. The essence of the amendment is to try to restore equality of arms between the individual and the companies to which the data is transferred. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Stevenson, for raising this important subject. I recall the questions that he posed at Second Reading about whether data subjects had sufficient support in relation to the power of companies that wanted to access, use and monetise their data, and I recognise the intention behind his amendment, which he carefully explained. I also agree wholeheartedly with him that these are questions worthy of debate, not only during the passage of this Bill, but over the coming months and years as the digital economy continues to develop. Later in Committee, we may discuss suitable forums where this could take place. These are big questions of data rights and how they are monetised, if they are, versus the growth of the digital economy for public benefit.
Lord Stevenson of Balmacara
My Lords, I am very grateful to the Minister for engaging with the issues and for responding so positively to some of the ideas that underlie the amendment. This is an issue that we will need to come back to, but I take the point that the level of detail in the amendment and the impact it may have may not be appropriate at this time, in terms of our understanding of and knowledge about where we are trying to get to.
As the Minister said, there may be opportunities to discuss the way this might be taken forward, including the possibility of the data ethics group. Should the Bill be amended in that way, that would be a base on which this could come forward.
Having said that, this was clearly a probing amendment and I was not expecting a detailed response. The noble Lord was careful to make sure that we were aware of the problems concerning some of the issues, but I put it to him that the technology we are already experiencing—and there is a lot more to come—allows those who have our data to almost magically know things about us, which results in us getting birthday greetings, targeted adverts and everything else. They are already on to us on this, and I do not think we need to worry too much about the burden that might be placed on these poor companies. But I take the point and beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, Clause 12 deals primarily with credit reference agencies. It is not an area that I think we want to go through in complete detail, but in comparing the current version of the Bill with the provisions in the Data Protection Act 1998, in particular Section 39(2), we wondered whether the updating of that provision was entirely correct and thought it would be helpful to give the Minister a chance to respond to that point.
The question that underlies the suggestion that the clause should not stand part is whether Clause 12 constitutes a restriction on a data subject’s access rights. It can be read as a presumption that a data subject in this area is asking only about their financial standing, and not for other data that the credit reference agency might have. The provision therefore might be said to run contrary to the underpinning rationale behind the GDPR that data controllers should be transparent and that data subjects should not be put in the position of having to guess what data is held about them in order to ask for it.
I am sorry to have to refer again to a recital, but recital 63, which the Minister might be aware of, specifies that among other purposes, the right of access is to allow a data subject to be aware of the data held about them so as to be able to,
“verify … the lawfulness of the processing”
that is taking place. This is different from the wording in Clause 12, in that the trigger appears to be based on the quantity of data rather than the type of controller. There is also no presumption about the nature of the data that the data subject wants. I think I have said enough to suggest that there is possibly an issue behind this and I would be grateful if the Minister could respond to that point.
Baroness Chisholm of Owlpen (Con)
My Lords, as your Lordships know, before giving somebody credit, lenders such as banks, loan companies and shops want to be confident that the person can repay the money they lend. To help them do this, they may look at the information held by credit reference agencies.
Credit reference agencies give lenders a range of information about potential borrowers, which lenders use to make decisions about whether or not to offer a person credit. It is safe to say that the three main credit reference agencies in the UK—Equifax, Experian and Callcredit—are likely to hold certain information about most adults in the country. Most of the information held by the credit reference agencies relates to how a person has maintained their credit and their service and utility accounts. It also includes details of people’s previous addresses and information from public sources such as the electoral roll, public records including county court judgments, and bankruptcy and insolvency data.
The information held by the credit reference agencies is also used to verify the identity, age and residency of individuals, to identify and track fraud, to combat money laundering and to help recover payment of debts. Government bodies may also access this credit data to check that individuals are entitled to certain benefits and to recover unpaid taxes and similar debts. Credit reference agencies are licensed by the Financial Conduct Authority.
As noble Lords may be aware, anyone can write to a credit reference agency to request a copy of their credit reference file. Given the sheer volume of requests that such agencies receive, Section 9 of the Data Protection Act 1998 provides that a subject access request made under Section 7 of the Act will be taken to mean a request for information about the person’s financial standing, unless the person makes it clear that he or she is seeking different information. Very importantly, when responding to such a request, Section 9(3) of the 1998 Act requires the credit reference agencies to provide the person with details about how he or she can go about correcting any wrong information held by the agencies. The process for doing so is set out in Section 159 of the Consumer Credit Act 1974, and the 1998 Act makes reference to it. If personal information held about someone is incorrect or out of date, noble Lords will appreciate that it could lead to that person being unfairly refused credit.
Clause 12 of the Bill simply replicates the provisions in Section 9 of the DPA in relation to handling of subject access requests made under article 15 of the GDPR. If it were omitted without anything being put in its place, this could create uncertainty for consumer reference agencies about how they should respond to a subject access request. It would create uncertainty for data subjects, who would no longer be supplied with guidance on how to update details in their file that were wrong or misleading. As far as we are aware, these provisions have worked well over the last 20 years and we can see no reason why they should be omitted from the Bill.
On that basis, I respectfully invite the noble Lord to accept that Clause 12 should stand part of the Bill.
Lord Stevenson of Balmacara
I am grateful to the Minister for her response. I think we agree that any impact on one’s credit standing is a major issue and that it is really important that we get this right. Although she did not specifically say so, I take it that all the big companies involved in this field were consulted before this measure was put forward. One notices, but does not make any comment, that Equifax is one of the companies concerned—and look what happened to it.
The message coming through is that the DPA 1998 provisions are being reproduced here: there is no intention to change them and people should not be concerned about this. On that basis, I will not object to Clause 12 standing part of the Bill.
Lord Stevenson of Balmacara
My Lords, we have a number of amendments in this group and I want to associate myself with many of the points made on the other amendments by the noble Lord, Lord Clement-Jones. I was only sorry that we did not get round to signing up to more of them in time to get some of the glory, because he has picked up a lot of very interesting points.
We will come to later groups of amendments that deal with a broader concern of effects and moral issues in relation to this Bill. It has been growing on me for a number of weeks now, but one of the most irritating things about the Bill, apart from the fact that it does not have the main clauses in it that one wants to discuss, is that every now and again we come up against a brick wall where there is suddenly a big intellectual jump on where we have got to and where we might want to get to through the Bill, and this is one of them.
This whole idea of automated data and how it operates is very interesting indeed. One of the people with whom I have been having conversations around this suggested that, in processing this Bill, we are in danger of not learning from history in your Lordships’ House and indeed Parliament as a whole, in relation to other areas in which deep moral issues are raised. The point was made, which is a good one, that when Parliament was looking at the Human Fertilisation and Embryology Act 1990 there had been four or five years, perhaps slight longer, of pre-discussion in which all the big issues had been thrashed out both in public and in private—in both Houses and in the newspapers, and in private Bills. There were loads of attempts to try to get to the heart of the issue. We are missing that now, in a way that suggests that it will become a lot clearer when we have discussions later about a data ethics body. I am sure that they will be good and appropriate discussions.
Having said that, the issue here is extremely worrying. We are at the very start of a rich and very interesting development in how computers operate and how machines take away from us a lot of the work that we currently regard as being human work. It is already happening in the world go championship. A computer played the human go champion and beat them easily. Deep Blue, the IBM computer, beat Garry Kasparov the chess player a few years ago. The point is not so much that these things were happening, but that nobody could understand what the machines were doing in relation to the results they were achieving. It is that apparent ability to exceed human understanding that is the great worry behind what people say. Of course, it is quite a narrow area and not one that we need to be too concerned about in terms of a broader approach. But in a world where people say with a resigned shrug that the computer has said no to a request they have made to some website, it is a baleful reflection of the helplessness we all feel when we do not understand what computers are doing to us. Automated processing is one facet of that, and we have to be careful.
We have to think of people’s fears. If they have fears, they will not engage. If they will not engage, the benefits that should flow from this terrific new initiative, new thinking and new way of doing things will be that we do not get the productivity or the changes that will help society as we move forward. We have to think of future circumstances in a reflective way. In a deliberative way we have to think about technical development and public attitudes. It again plays back to the work that was done by Mary Warnock and her team when they were trying to introduce the HFEA. She said, importantly, that reason and sentiment are not necessarily opposed to each other. It is that issue we are trying to grapple with today. The amendments that have been so well introduced by the noble Lord, Lord Clement-Jones, cover that.
The regulatory and legal framework may not be sufficient. Companies obviously have natural duties only to their shareholders. Parliament will have to set rules that make people in those companies take account of public fears, as well as shareholder interests. That approach is not well exemplified in this Bill yet. We need to think about how to allow companies to bring forward new initiatives and push back the boundaries of what they are doing, while retaining public confidence. That is the sort of work that was done on the HFEA and that is where we have to go.
Our Amendment 74 has already been spoken to by the noble Lord, Lord Clement-Jones. It is an important one. There is an issue about whether or not an individual—“a natural person”, as the amendment has it—is involved “in the decision-making process”. We should know that.
“Personal Data Ethics Advisory Board
(1) The Secretary of State must appoint an independent Personal Data Ethics Advisory Board as soon as reasonably practicable after the passing of this Act.(2) The Personal Data Ethics Advisory Board’s functions, in relation to the processing of personal data to which the GDPR and this Act applies, are to—(a) monitor further technical advances in the use and management of personal data and their implications for the rights of data subjects;(b) protect the individual and collective rights and interests of data subjects in relation to their personal data;(c) ensure that trade-offs between the rights of data subjects and the use and management of personal data are made transparently, accountably and inclusively;(d) seek out good practices and learn from successes and failures in the use and management of personal data; and(e) enhance the skills of data subjects and controllers in the use and management of personal data.(3) The Personal Data Ethics Advisory Board must report annually to the Secretary of State.(4) The report in subsection (3) may contain recommendations to the Secretary of State and the Commissioner relating to how they can improve the processing of personal data and the protection of data subjects’ rights by improving methods of—(a) monitoring and evaluating the use and management of personal data;(b) sharing best practice and setting standards for data controllers; and(c) clarifying and enforcing data protection rules.(5) The Secretary of State must lay the report in subsection (3) before both Houses of Parliament.”
Lord Stevenson of Balmacara
My Lords, it always used to be said that reaching the end of your Lordships’ day was the graveyard slot. This is a bit of a vice slot. You are tempted by the growing number of people coming in to do a bit of grandstanding and to tell them what they are missing in this wonderful Bill that we are discussing. You are also conscious that the dinner hour approaches—and I blame the noble Baroness, Lady Hamwee, for that. All her talk of dining in L’Algorithme, where she almost certainly had a soup, a main course and a pudding, means that it is almost impossible to concentrate for the six minutes that we will be allowed—with perhaps a few minutes more if we can be indulged—to finish this very important group. It has only one amendment in it. If noble Lords did not know that, I bet that has cheered them up. I am happy to say that it is also a réchauffage, because we have already discussed most of the main issues, so I will be very brief in moving it.
It is quite clear from our discussion on the previous group that we need an ethics body to look at the issues that we were talking about either explicitly or implicitly in our debates on the previous three or four groups and to look also at moral and other issues relating to the work on data, data protection, automatics and robotics, and everything else that is going forward in this exciting field. The proposal in Amendment 78A comes with a terrific pedigree. It has been brought together by members of the Royal Society, the British Academy, the Royal Statistical Society and the Nuffield Trust. It is therefore untouchable in terms of its aspirations and its attempt to get to the heart of what should be in the contextual area around the new Bill.
I shall not go through the various points that we made in relation to people’s fears, but the key issue is trust. As I said on the previous group, if there is no trust in what is set up under the Bill, there will not be a buy-in by the general public. People will be concerned about it. The computer will be blamed for ills that are not down to it, in much the same way that earlier generations always blamed issues external to themselves for the way that their lives were being lived. Shakespeare’s Globe was built outside the city walls because it was felt that the terribly dangerous plays that were being put on there would upset the lieges. It is why penny dreadfuls were banned in the early part of the last century and why we had a fight about video nasties. It is that sort of approach and mentality that we want to get round to.
There is good—substantial good—to be found in the work on automation and robotics that we are now seeing. We want to protect that but in the Bill we are missing a place and a space within which the big issues of the day can be looked at. Some of the issues that we have already talked about could easily fit with the idea of an independent data ethics advisory board to monitor further technical advances in the use and management of personal data and the implications of that. I recommend this proposal to the Committee and beg to move.
Lord Clement-Jones
My Lords, the noble Lord, Lord Stevenson, has been admirably brief in the pre-dinner minutes before us and I will be brief as well. This is a very important aspect of the debate and, despite the fact that we will be taking only a few minutes over it, I hope that we will return to it at a future date.
I note that the Conservative manifesto talked about a data ethics body, and this is not that far away from that concept. I think that the political world is coalescing around the idea of an ethics stewardship body of the kind recommended by the Royal Society and the British Academy. Whatever we call it—a rose by any other name—it will be of huge importance for the future, perhaps not as a regulator but certainly as a setter of principles and of an ethical context in which AI in particular moves forward.
The only sad thing about having to speed up the process today is that I am not able to take full advantage of the briefing put forward by the Royal Society. Crucially, it recommends two things. The first is:
“A set of high-level principles to help visibly shape all forms of data governance and ensure trustworthiness and trust in the management and use of data as a whole”.
The second is:
“A body to steward the evolution of the governance landscape as a whole. Such a stewardship body would be expected to conduct expert investigation into novel questions and issues, and enable new ways to anticipate the future consequences of today’s decisions”.
This is an idea whose time has come and I congratulate the noble Lords, Lord Stevenson and Lord Kennedy, on having tabled the amendment. I certainly think that this is the way forward.
Lord Ashton of Hyde
I cannot agree with the noble Baroness’s point. However, I accept that that is a possibility and that things will not last for ever. However, in this case we expect to have the proposals shortly and this Government will definitely be around at that time.
Lord Ashton of Hyde
The noble Baroness asked whether it would be enshrined in this Bill. As I tried to explain, it will have a far broader remit than this Bill.
Lord Stevenson of Balmacara
That is a no, then. Oh well, these things happen. You are up one minute and then down. We cannot live like this, can we? However, it is only the Committee stage and we have plenty of time. We can presumably inveigle the Minister into a meeting about this. Not with everyone concerned because that would be too much, but I would be happy to meet him about this on neutral turf if possible. I am fairly confident that we would not want to see the Government voting against a manifesto commitment, which I think I heard him say. We can be reasonably certain that progress can be made on this issue and I wish to signal here our considerable support for that. I look forward to the discussions and beg leave to withdraw the amendment.