Brendan O'Hara (Argyll and Bute) (SNP)

- Hansard -

Copy Link

-

The Scottish National party acknowledges the need for a new and comprehensive data protection framework that safeguards human rights, and updates UK data protection law to bring it in line with the European Union’s general data protection regulation. We want a Data Protection Bill that makes the UK’s data protection laws fit for the digital age, that enshrines the principle of transparency and accountability and that gives all citizens and consumers greater control over who has access to their personal information and what those parties can do with it.

Despite what we have heard in the debate, this is a wide-ranging and complicated Bill. The House is agreed on many aspects of it, but in certain crucial areas, it falls short of what we expect from modern data protection legislation. Specifically, we are concerned about the Bill’s provisions on the UK’s derogation from the GDPR for the purposes of effective immigration control. We also have concerns about automated decision making, the use of national security certificates and the lack of provision for collective redress. We are also very concerned about the consequences for the UK as it tries to secure an adequacy agreement with the European Union, post Brexit.

As the Secretary of State is well aware, SNP Members and the Scottish Government are extremely concerned about clause 168, which concerns section 40 of the Crime and Courts Act 2013. Clause 168 was inserted in the other place and impinges on areas wholly devolved to the Scottish Parliament. Although we will be as constructive as possible in assisting the passage of the Bill, we will table our own amendments and support other Members’ amendments on those issues in Committee.

We will definitely seek to challenge paragraph 4 of part 1 of schedule 2, which is effectively an immigration exemption that permits the Government to collect and hold data without subject knowledge; we find that deeply worrying. Equally concerning is that there is no legal definition of immigration control, or the maintenance of effective immigration control, anywhere in the Bill. Given that effective immigration control is both highly subjective and highly political, I fear it will make individuals’ rights extremely susceptible to changes in political tides. This broad, wide-ranging exemption is fundamentally unfair, and it runs contrary to basic human rights. It is unprecedented and as unnecessary as it is disproportionate.

Under this exemption, the Government will remove any obligation they have under data protection law to inform an individual that their data has been transferred to the Home Office for immigration control purposes. The individual concerned would not know that their data was being held, or that they were under investigation. They would have no right to see what data of theirs was being held by the Home Office, or to find out why it was being held. They would have no way of checking the accuracy of the information held by the Home Office, and they would have no way of correcting any mistakes in that information, which could be used by the Home Office to decide whether they could live in this country.

That means that one early error in data collection or processing could become indisputable fact by the time it reached the Home Office, and the Home Office could base its case against an individual on that. As MPs, we all know how often information held on individuals turns out to be wrong. This is an issue of basic fairness, and it is little wonder that the measure has been roundly condemned by numerous civil liberties groups and by many in the legal profession.

If the measure is enacted, it would be a fundamental change to the way things currently work, whereby data held on an individual can be obtained through a subject access request. As it stands, the Home Office, the applicant and the applicant’s legal representative all have access to the same information, and it is that information on which claims and legal challenges are based. Surely, if both sides do not have access to the same information, the fairness of legal proceedings is inevitably compromised.

Subject access requests are often the only route through which legal professionals can obtain access to such information, and thereby understand the complicated immigration history of some of their clients. Indeed, for applicants who have been the victim of domestic abuse and who were in a controlling relationship for years before seeking help on immigration matters, a subject access request may be their only way of establishing their basis for settlement and for gaining independence from an abusive partner. This exemption will reduce a legal representative’s ability to best represent their client, and it will remove an important tool in holding the Home Office to account when it ignores or seeks to misrepresent the facts.

Further to the comments of the hon. Member for West Bromwich East (Tom Watson), we also strongly recommend that the Government look again at clause 183, and make provision for suitably qualified non-profit organisations to pursue action against data protection infringements of their own accord. This kind of enforcement, where one person or body represents a group of individuals, is known as collective redress. As it stands, clause 183 only allows individuals to request that suitably qualified organisations take up a case on their behalf, rather than allowing such organisations to highlight where they believe a breach of data protection law has occurred.

All too often, individuals are the last to know that their data has been unlawfully used, and in many cases those best placed to identify unlawful practices are the organisations that do the independent research and investigation. We hope that clause 183 can be amended to ensure that not-for-profit organisations have the right to raise complaints themselves when they consider that people’s data protection rights have been infringed.

I also want to raise the matter of automated decision making and, in particular, clause 14, which permits exemptions from the right not to be subject to an automated decision. We strongly believe that automated decision making without human intervention should be subject to the strictest limitations, and it has to address fairness, transparency, accountability and issues of discrimination. The Bill provides insufficient safeguards. This is not about an online retailer suggesting what book or song someone might wish to download, based on previous purchases; this is about decisions being made without human oversight that can have long-term, serious consequences for an individual’s health, or their financial, employment or legal status.

As I understand it, clause 48 would allow law enforcement agencies to make purely automated decisions. This is fraught with danger and is, we believe, not only at odds with the Data Protection Act 1998, but against article 22 of the GDPR, which gives individuals the right not to be subject to purely automated decisions. The GDPR contains provision for EU member states to opt out of this, but that opt-out does not apply if the data subject’s rights, freedoms and legitimate interests are undermined. I urge the Government to look again at those parts of the Bill on automated decision making and to make it explicit that where automated processing is carried out, a human will have to decide whether it is reasonable and appropriate to continue. That human intervention will provide transparency and accountability, and ensure that the state is not infringing an individual’s fundamental rights, liberties and privacy. Those issues are often subjective and beyond the concept of an algorithm.

Another area of concern, which we will raise in Committee, relates to the issuing of national security certificates, which allow restriction of and exemption from a wide range of rights in the Bill and the GDPR on the basis of national security and defence. It is right that a country should have an ability to do what is deemed to be in the best interests of its national security, but many would argue that, since 1998, national security certificates have received insufficient scrutiny of their impact on privacy or their proportionality. We are concerned that the proposals in the Bill go much further than those in the Data Protection Act 1998. We question whether the broad and indefinite nature of those national security exemptions is necessary and proportionate and whether the oversight of the issuing of national security certificates is sufficient. As the Bill is drafted, an individual’s rights could be removed by a politician without any form of judicial oversight. Surely it cannot be right for an individual’s rights to be undermined so easily, purely on the say-so of a Minister.

Of course, even in normal circumstances, the passage of this Bill would be challenging, given its nature, size, scope and complexity, but it has to be seen against the backdrop of Brexit, as does everything we do and have done for the past two years. We have to not only comply with the GDPR, but do so in such a way that the United Kingdom achieves an adequacy decision from the European Commission, allowing it to continue to operate securely and freely within the framework of the GDPR. I fear that much of what is proposed in this Bill, particularly on the immigration exemption and the national security certificates, jeopardises achieving that adequacy decision, as before granting such a decision the European Commission is obliged to consider a variety of issues, including respect for fundamental rights. As we have heard, the GDPR will evolve over time, and the UK will have to maintain adequacy, and that means amending our data protection to keep it in line with European law.

My final point relates to amendment 147 from the other place, which will have the same effect as implementing section 40 of the Crime and Courts Act 2013. The Minister is aware that although data protection is a reserved issue, both criminal justice and press regulation are wholly devolved to the Scottish Parliament. Furthermore, the concept of exemplary damages does not exist in Scots law, and the Scottish Government have no intention of changing the law for the purposes of incentivising participation in a press regulation system. As it stands, this Bill seeks to regulate the press by means of civil procedure, both of which, as I say, are devolved to the Scottish Parliament.

As I said in the Chamber last week, we believe that all individuals should be able to seek redress when they feel they have been the victim of press malpractice, and the Scottish Government will continue to engage with the Scottish press on independent self-regulation. The Secretary of State has had correspondence on this matter from myself and Fiona Hyslop, the Scottish Government’s Cabinet Secretary for Culture, Tourism and External Affairs, who wrote to the UK Government last month making clear the Scottish Government’s position on this matter. On the second part of the Leveson inquiry, she was equally clear that press regulation and any associated issues around the culture, practices and ethics of the press would be a matter for the Scottish Government and that in any future inquiry, the distinct legal context in Scotland must be taken into account. It benefits every one of us to have a data protection regime that is transparent and accountable and that has at its heart the rights of the individual to control what happens with their data.

Although there is much that we agree on in this Bill, there are areas that give us serious cause for concern. In Committee, we will therefore table amendments and support others’ amendments that seek to address concerns about the immigration exemption, collective redress, automated decision making, the scope of national security certificates and, of course, section 40 as it relates to Scotland. These amendments will seek to strengthen the Bill, to guarantee that everyone’s human rights are protected equally and to ensure that, going forward, the UK has the best chance of securing the adequacy decision that it requires, post Brexit.