Baroness Neville-Rolfe (Con)

- Hansard -

Copy Link

-

My Lords, I congratulate our Ministers and the Government on bringing this Bill to our House in this timely way. It is extremely technical—and herein lies a danger, because it is also very important and covers matters that can be expected to become even more important over time. We must therefore put aside the temptation to think that technical matters are somehow of lesser importance, simply because we do not fully understand them. I declare an interest as the Minister responsible when the EU parent of this Bill, the GDPR, was adopted. While I saw it as a necessary single market measure and a modernising one, there were a number of provisions that we could have done without, mostly introduced by the European Parliament, such as requiring a specific age of consent, which the Government have now proposed should be 13 in the UK, in line with the United States.

In contrast, as always, our UK approach is market opening. We want a competitive, growing Europe, and we want the digital revolution, with its subset artificial intelligence, to continue to stoke growth. But some in the EU have always been most concerned with giving citizens back control over their personal data, an issues that assumed particular importance following the release of documents involving Chancellor Merkel by WikiLeaks. To be fair, the UK has also in this case stated its wish to simplify the regulatory environment for business, and we need to make sure that that actually happens here in the UK. Committee will give us the chance to talk about the merits of the digital revolution and its darker side, which we touched on during the excellent debate led by the noble Baroness, Lady Lane-Fox. I shall not go over that ground again now, but I add one point to the story told by the noble Lord, Lord Mitchell: my Google Maps app now highlights the location of future engagements in my diary. So that is pretty challenging.

I shall touch as others have done on three concerns. According to the Federation of Small Businesses, the measures represent a significant step up in the scope of data protection obligations. High-risk undertakings could phase additional costs of £75,000 a year from the GDPR. The MoJ did an impact assessment in 2012, which is no doubt an underestimate, since it did not take account of the changes made by the European Parliament, which estimated the cost at £260 million in 2018-19 and £310 million by 2025-26. I am not even sure if that covers charities or public organisations or others who have expressed concerns to me about the costs and the duties imposed. Then there are the costs of the various provisions in the Bill, many levelling up data protection measures outside the scope of the GDPR. It is less confusing, I accept, but also more costly to all concerned.

The truth is that overregulation is a plague that hits productivity. Small businesses are suffering already from a combination of measures that are justified individually—pension auto-enrolment, business rates and the living wage—but together can threaten viability at a time of Brexit uncertainty. We must do all we can to come to an honest estimate of the costs and minimise the burden of the new measures in this legislation.

Also, I know that CACI, one of our leading market analysis companies working for top brands such as John Lewis and Vodafone, thinks that the provisions in the Bill are needlessly gold-plated. Imperial College has contacted me about the criminalisation of the re-identification of anonymised data, which it thinks will needlessly make more difficult the vital security work that it and others do.

The noble Lord, Lord Patel, and the noble Baroness, Lady Manningham-Buller, were concerned about being able to contact people at risk where scientific advance made new treatments available—a provision that surely should be covered by the research exemption.

The second issue is complication. It is a long and complicated Bill. We need good guidance for business on its duties—old and new, GDPR and Data Protection Bill—in a simple new form and made available in the best modern way: online. I suggest that—unlike the current ICO site—it should be written by a journalist who is an expert in social media. The Minister might also consider the merits of online training and testing in the new rules. I should probably declare an interest: we used it in 2011 at Tesco for the Bribery Act and at the IPO for a simple explanation of compliance with intellectual property legislation.

The third issue is scrutiny. I am afraid that, as is usual with modern legislation, there are wide enabling powers in the Bill that will allow much burdensome and contentious subordinate detail to be introduced without much scrutiny. The British Medical Association is very concerned about this in relation to patient confidentiality. Clause 15, according to the excellent Library Note, would allow the amendment or repeal of derogations in the Bill by an affirmative resolution SI, thereby shifting control over the legal basis for processing personal data from Parliament to the Executive. Since the overall approach to the Bill is consensual, this is the moment to take a stand on the issue of powers and take time to provide for better scrutiny and to limit the delegated powers in the Bill. Such a model could be useful elsewhere—not least in the Brexit process.

There are two other things I must mention on which my noble friend may be able to provide some reassurance. First, I now sit on the European Union Committee. I am sorry that duties there prevented me sitting through some of this important debate; we were taking important evidence on “no deal”. As the House knows, the committee is much concerned with the detail of Brexit. Data protection comes up a lot—almost as much as the other business concern, which is securing the continued flow of international talent. I would like some reassurance from my noble friend Lady Williams about the risks of Brexit in the data area. If there is no Brexit deal, will the measures that we are taking achieve equivalence—“adequacy”, in the jargon—so that we can continue to move data around? What international agreements on data are in place to protect us in the UK and our third-country investors? Under an agreed exit, which is my preference, is there a way that our regulator could continue to be part of the European data protection supervisory structure and attend the European Data Protection Board, as proposed by the noble Lord, Lord Jay of Ewelme, the esteemed interim chairman of our European Union Committee—or is that pie in the sky?

Secondly, there is a move among NGOs to add a provision for independent organisations to bring collective redress actions for data protection breaches. I am against this proposal. In 2015 we added such a provision to competition legislation—with some hesitation on my part. This provision needs to demonstrate its value before we add parallel provisions elsewhere. It is in everyone’s interests to have a vibrant economy, but business is already facing headwinds in many areas, notably because of the uncertainty surrounding Brexit. In future it will be subject to a much fiercer data protection enforcement regime under our proposals.

I have talked about the costs and others have mentioned the new duties and there will be maximum fines of up to 4% of turnover for data breaches, compared with £0.5 million at present. We certainly do not need yet another addition to the compensation culture. This could reduce sensible risk taking and perversely deter the good attitudes and timely actions to put things right that you see in responsible companies when they make a mistake. There is a real danger that the lawyers would get to take over in business and elsewhere and give the Bill a bad name. That would be unfortunate.

However, in conclusion, I welcome the positive aspects of this important Bill and the helpful attitude of our Ministers. I look forward to the opportunity of helping to improve it in its course through the House.