Baroness Brinton (LD)

- Hansard -

Copy Link

- - Excerpts

My Lords, we move to a group that looks at data protection issues, which were covered at Second Reading. In this group, I have Amendment 21, the Clause 42 stand part notice and Amendments 35 and 36. I have found the Information Commissioner’s Office response to the joint consultation from the Law Commission and the Scottish Law Commission on automated vehicles, dated March 2021, extremely helpful. That response set out the legislative landscape and said, in paragraph 6:

“The consultation refers to Directive 2002/58/EC, known as the ePrivacy directive (‘ePD’), however, reference should be given instead to PECR, which is the UK law that gives effect to the ePD … Section 17.54 notes that the legislator ‘clearly did not have AVs … in mind’ when the Directive was enacted, and that ‘At the time, the typical terminal equipment was a telephone handset’ … Therefore, care must be taken when interpreting the legislation, so that its underlying rationale, and technology neutral approach is fully understood and any proposals accord with its objectives. The ICO has produced guidance”


on this. It is saying that GDPR rules are clearly not enough on their own.

I was grateful at Second Reading for the Minister’s clear response on the protection of personal data— I may disagree with what he said but I was grateful for the clarity of the response. He said:

“However, data must remain properly protected. Self-driving vehicles will be subject to existing data protection laws in the UK. Our proposed Bill does not alter that, so manufacturers and government will have to ensure that data is protected”.—[Official Report, 28/11/23; col. 1072.]


I remain concerned that the Bill, especially Clause 42, sets out a very high level, a top level, of legislation—whether primary or secondary, of which we know nothing yet—by which information will be protected, but it does not put in place the mechanisms by which individual people could rest assured that their personal data was being appropriately protected. The ICO further commented on personal data in its response to the Law Commission, at paragraph 12:

“Automated vehicles pose particular challenges in relation to personal data, as often they will process the personal data of several individuals: owners, drivers, passengers and even pedestrians. If the personal data of these users is processed inappropriately, there is a heightened risk of intrusion into individuals’ work and private lives. The Government and technology providers should therefore adopt a data protection by design and default approach, ensuring that privacy protections are built into the design and development of automated vehicles”.


To return to the Bill, Clause 42(4) sets out the offence of breaching data protection, but then Clause 42(5) gives a very wide range of defences, which is, frankly, quite worrying. It says:

“But it is a defence to prove that—(a) the person from whom the information was obtained as described in subsection (1) consented to the disclosure or use, or (b) the recipient reasonably believed that the disclosure or use was lawful”.


I have been trying to think through what this might mean in practice. Let us say that you call an AV—it could be yours; it could be a neighbourhood vehicle; it could be a taxi; it could even be getting on a bus—and when you call it, it will ask you, probably in your app, to confirm the terms and conditions. We all do this every day when we go online; we just tick “Yes”, but do we know what the operating licence holder might be doing with our personal data? Worse, the licence holder or a future recipient of that data, somebody else in the chain of information, might think that disclosure was lawful. Amendment 21 sets out the baseline good practice for any organisation that is dealing with personal data, especially data that the individual is not necessarily aware of.

I want to give the Committee an example I experienced when a number of people and organisations were involved in handling personal data. My dentist—please do not laugh; it is relevant—requires patients to sign online, before they are seen every time, that they are content with their personal, medical and other personal data being held, so that the surgery can better look after patients, with an assurance that it will be held appropriately. That is fine. A couple of years ago, the regular online form changed, and after page one I was asked to sign a different set of Ts and Cs from a specialist data processing company. I clicked through, read the 17-odd pages and discovered that in the small print this multibillion-dollar company wanted my permission to be able to pass my data, medical and personal, on to other interested parties in its group and for other associated services. This included insurance companies, providers of healthcare and pharmaceuticals. I was not happy.

When I raised it with the dental surgery, it was really shocked. It had not clocked the detail because it had not clicked through two or three times, as I had to do, and it dealt with it straightaway, but I am making a point: we are not expecting a single authorised organisation to process all the data. There will be many different tracks coming down the line, and the problem here was that this was an American company using American law, not GDPR. The defence in Clause 42(5) would have succeeded, because one would have automatically ticked on the Ts and Cs thing on the app. That is one of the reasons that, at Second Reading, I probed on protection for data. I hope that my amendments will strengthen what the Government are planning to do.

Amendment 21 sets out the criteria that would have to be met before a person or a body would be permitted to be authorised as a self-driving entity. First, they must

“have obtained a certificate of compliance with data protection legislation”

from the ICO for their policy of handling of personal data. Secondly, their policy relating to handling personal data of clients, passengers et cetera must clearly outline

“who has ownership of any personal data collected, including after the ownership of a vehicle has ended”.

Thirdly, they must be

“a signatory to an industry code of conduct under the UK General Data Protection Regulation”.

Because I remain concerned about Clause 42, I have laid that it should not stand part, partly as a probing issue to get the issues out and bring a response from the Minister. I hope the Minister can provide the Committee with stronger reassurance than that given at Second Reading, given the 10 pages of response from the ICO to the Law Commission consultation.

I have two further amendments in this group. In every debate so far—and in meetings with the Minister—the Government have made it plain that the Bill is charting new territories and new technologies that not one other country has yet managed to do. Much of the focus on the Bill is understandably on vehicles, but the other element of newer and untested technology is how data will be used. We know just from the advances in AI over the last few months, let alone year, how fast it changes. Amendment 35 sets out for an annual report to Parliament on the use of personal data in relation to automated vehicles. This way, when the sector responds it can see how many breaches there are and how new technology as yet unseen and unknown—not even thought of—will affect individuals. Equally importantly, we will be able to see trends in data collection so that Governments and Parliament can consider whether further legislation is needed to further regulate the collection of data. Amendment 36 sets out the requirement for the Secretary of State to consult with the ICO in relation to the collection of personal data prior to the Secretary of State making any regulations in relation to personal data collection.

I know that the noble Lord, Lord Liddle, made the point about the Secretary of State making these decisions, and I just want to add at this point that this Government have had a habit of pushing an enormous amount of information into secondary legislation. I think we all understand that some of it needs to be there but, particularly with new technologies and new areas, Parliament is very concerned about giving permission for things that are not yet even understood, let alone explicit.

I also want to add that I support the other amendments in this group from my noble friend Lady Bowles and from the noble Lord, Lord Holmes of Richmond, all of which strengthen the protections needed for a technology that will have even more access to people’s personal data than we know now, whether it is commercial or third-party data. All the amendments in this group are following the ICO’s principal concern.

I say again that AVs pose a risk to individual rights if they have insufficient control over their data and their data protection rights. The ICO says that data systems for AVs should have a data protection system by a design and default approach. After all, it is a new technology.

I really look forward to hearing the Minister’s response. I beg to move.

Lord Davies of Gower (Con)

- View Speech - Hansard -

Copy Link

- - Excerpts

My Lords, once again I thank noble Lords for their contributions. I begin with Amendments 29, 34 and 42, tabled by the noble Baroness, Lady Bowles of Berkhamsted. The protection of personal and commercial data is of course a critical issue and one that requires careful consideration. On Amendments 34 and 42, all information collected and shared under Clauses 42 and 88 is subject to restrictions on unauthorised use, breach of which constitutes an offence. Where personal data is collected, this is also subject to data protection legislation. This information can be disclosed or used only for the purposes specified in the regulations made under each respective clause.

As set out in our policy scoping notes, this is a novel policy area, and it is not yet known exactly how information may need to be used or shared. However, as the examples in the notes illustrate, this is likely to be for public interest purposes such as road safety or improved passenger services. On the basis that information sharing will be proportionate and in the public interest, a requirement to pay commercial compensation would be inappropriate.

To further support data protection, the Government will be considering the recommendations by the Centre for Data Ethics and Innovation, in its report Responsible Innovation in Self-Driving Vehicles. These include a recommendation to work with the Information Commissioner’s Office to issue guidance on how data protection obligations apply to self-driving vehicles.

On Amendment 29, all information required to be shared under Clause 14 will be subject to the requirements and safeguards of data protection legislation. The Bill does not change these protections. This information will be used for regulatory purposes to ensure the safe and legal operation of self-driving vehicles. It will also be used to determine criminal and civil liabilities associated with the use of these vehicles. Again, these purposes are proportionate and in the public interest. Businesses will be aware of the regulatory requirements for information sharing prior to seeking authorisation or licensing, and the information will be subject to these obligations from the outset. There would therefore be no expectation that it could be treated as commercially confidential information which holds a market value.

I turn to Amendment 31. The department does not notify entities when using information obtained under an investigation and used in the public interest— for example, to improve road safety. In the case of Clause 22(2), the information would be used for

“any of the investigative purposes in relation to any regulated body”.

These purposes aim to ensure the continued safe and legal operation of self-driving vehicles, and are therefore in the public interest.

The amendment would place an additional administrative burden on the Secretary of State that brought minimal benefit to the regulated body in question, as the investigative purpose would continue none the less. In the case of a regulatory issue being identified, the body would be notified by the appropriate regulatory action, such as a compliance notice. This would then allow the regulated body to challenge the use of information by representations under paragraph 5 of Schedule 1.

On Amendment 21, tabled by the noble Baroness, Lady Brinton, I recognise that she made a characteristically incisive series of detailed points on these issues. I will be happy to meet with her, in addition to the separate meeting we have scheduled on accessibility, to have a fuller discussion on her questions, and I extend the same invitation to other noble Lords.

We believe it is right that the protection of personal data will be considered alongside the detailed development of authorisation requirements—it is an important issue. These requirements will be set out in secondary legislation and will be subject to consultation and impact assessment. The schemes referred to in the amendment are industry led and therefore not within the control of government. There is therefore a risk that they would not achieve the intended result.

On Amendment 35, it is the role of the Information Commissioner’s Office to regulate on data protection issues. The ICO has an existing obligation to report annually to Parliament on the commissioner’s activities. Any report by the Department for Transport would risk duplicating this work. The Department for Transport is also not the data controller for information collected by regulated bodies, which means that such reporting would be inappropriate. Further, the Secretary of State already has a duty under Article 36(4) of the UK GDPR to consult the ICO on proposals for legislative measures. Amendment 36 therefore duplicates an existing requirement.

On Amendment 55B, the Information Commissioner’s Office is the independent regulator responsible for upholding information rights in the public interest. Given its role as a whole-economy regulator, it would be unnecessary and duplicative to establish a separate third-party body, with the same expertise, to oversee the use of personal data by self-driving vehicles.

I turn to the proposal that Clause 42 be removed. Clause 42 contains provisions that constrain the use and disclosure of information obtained through the regulatory framework. The removal of these provisions would open up the possibility of personal data being processed in a much wider manner, such as for reasons of “legitimate interest”. This would amount to a weakening of the data protections in the Bill.

On the points raised about national security, whole-life cyber resilience will be tested as part of the approval processes. The UK has co-chaired the UNECE group developing standards in this area, and government is working with colleagues in the National Cyber Security Centre and the National Protective Security Authority on these issues.

Finally, on the point regarding the protection of personal data when selling a vehicle, in cases where manufacturers and supporting services store data outside the vehicle, all relevant data protections will need to be met. If a vehicle user has given access rights and connections to personal information, it is the responsibility of the user to delete the data from the vehicle. Indeed, this is the same approach as that applied to devices such as mobile phones, which contain similarly large quantities of sensitive data. I ask noble Lords not to press their amendments on this.

Lord Davies of Gower (Con)

- Hansard -

Copy Link

- - Excerpts

I thank the noble Baroness for that. She raised a number of important points that I have perhaps not addressed fully, and I would be very happy to go back and write to her comprehensively on a couple of them.