My Lords, I begin by apologising to the noble Baroness, Lady Finlay of Llandaff, that she is, for the second time running, almost a tail-end Charlie. It was the same on Monday evening and she was extremely gracious in waiting for so long for us to get to her amendment. I welcome her amendment, which highlights an issue that most of us here are acutely aware of when buying goods and services online; namely, the consequence of not ticking a box or, in some cases, unticking a box.
The proposed new clause imposes a fine not exceeding 10% of a seller’s annual gross operating profit if a seller of goods and services on the internet were to retain, share or use the contact information of a buyer without the buyer’s consent to do so. It also makes it a requirement that websites provide a tick-box which is not pre-filled, as a means by which an individual can demonstrate their acceptance of having their contact information processed by the seller.
Although I accept the spirit of the amendment, I do not believe it is necessary, for the following reasons. Clause 77 already places a statutory duty on the Information Commissioner to publish a direct marketing code of practice. Putting the ICO’s direct marketing code of practice on a statutory footing will make it easier for the Information Commissioner to take enforcement action against those organisations in breach of the direct marketing rules under the Data Protection Act and the Privacy and Electronic Communications Regulations. The current direct marketing rules are also clear, stating as follows:
“Organisations will need to be able to demonstrate that consent was knowingly and freely given, clear and specific, and should keep clear records of consent. The ICO recommends that opt-in boxes are used”.
The general data protection regulation—GDPR—which will come into force in May 2018 will introduce tough new measures on consent and will place obligations on data controllers to demonstrate clearly how they obtained consent when processing personal data, such as contact information. Silence or pre-ticked boxes as a form of consent will not be permitted under the GDPR. The GDPR will also allow tougher penalties to be imposed on organisations in breach of the rules: up to 4% of the organisation’s total global annual turnover, or €20 million.
The noble Baroness also suggested that the time limit for retaining personal information should be limited, for example, to a year. The reality is that time is not specified: one should hold on to the information only as long as is necessary to process payment or whatever the application is made for. For these reasons, I hope the noble Baroness will feel able to withdraw her amendment.