Baroness O’Neill of Bengarve (CB)

- Hansard -

Copy Link

-

My Lords, as the last speaker before the winding speeches, I think it is my duty to be extremely brief, so I will try. We have had nearly 20 years of the Data Protection Act. We need this legislation because, if nothing else were the case, the United Kingdom will remain in the European Union on 18 May next year, which is the date of implementation of the new regulation, so we have to do something.

I will make a few rather sceptical remarks about the long-term viability of data protection approaches to protecting privacy. They have, of course, worked, or people have made great efforts to make them work, but I think the context in which they worked, at least up to a point, has become more difficult and they are less likely to work. The definition of personal data used in data protection approaches, and retained here, is data relating to a living individual who is identified, or can be identified, from the data. It is that modal idea of who can be identified that has caused persistent problems. Twenty years ago it was pretty reasonable to assume that identification could be prevented provided one could prevent either inadvertent or malicious disclosure, so the focus was on wrongful disclosure. However, today identification is much more often by inference and it is very difficult to see how inference is to be regulated.

The first time each of us read a detective story, he or she enjoyed the business of looking at the clues and suddenly realising, “Ah, I know whodunnit”. That inference is the way in which persons can be identified from data and, let us admit it, not merely from data that are within the control of some data controller. Data protection is after all in the end a system for regulating data controllers, combined with a requirement that institutions of a certain size have a data controller, so there is a lot that is outside it. However, if we are to protect privacy, there is, of course, reason to think about what is not within the control of any data controller. Today, vast amounts of data are outwith the control of any data controller: they are open data. Open data, as has been shown—a proof of concept from several years ago—can be fully anonymised and yet a process of inference can lead to the identification of persons. This is something we will have to consider in the future in thinking about privacy.

Moreover, throughout the period of data protection, one of the central requirements for the acceptable use of otherwise personal data has been that consent should be sought, yet the concepts of consent used in this area are deeply divisive and various. In commercial contexts, consent requirements are usually interpreted in fairly trivial ways. When we all download new software, we are asked to accept terms and conditions. This is called an end-user licence agreement. You tick and you click and you have consented to 45 pages of quite complicated prose that you did not bother to read and probably would not have understood if you had maintained attention for 45 pages. It does not much matter, because we have rather good consumer protection legislation, but there is this fiction of consent. However, at the other end of the spectrum, and in particular in a medical context, we have quite serious concepts of consent. For example, to name one medical document, the Helsinki Declaration of the World Medical Association contains the delicious thought that the researcher must ensure that the research participant has understood—then there is a whole list of things they have to understand, which includes the financial arrangements for the research. This is a fiction of consent of a completely different sort.

We should be aware that, deep down in this legislation, there is no level playing field at all. There are sectoral regimes with entirely different understandings of consent. We have, in effect, a plurality of regimes for privacy protection. Could we do otherwise or do better? I will not use any time, but I note that legislation that built on the principle of confidentiality, which is a principle that relates to the transfer of data from one party to another, might be more effective in the long run. It would of course have to be a revised account of confidentiality that was not tied to particular conceptions of professional or commercial confidentiality. We have to go ahead with this legislation now, but it may not be where we can stay for the long run.