My Lords, I am delighted to be moving the Second Reading today and look forward gratefully to the help of my right honourable friend the Minister of State at the Home Office and my noble friends Lady Chisholm and Lady Vere.
New technologies have started innumerable economic revolutions, and the pace of change continues to accelerate. It is 20 years since we passed the last Data Protection Act, and since then we have seen the explosive growth of the world wide web, the rise of social media and faster and faster connectivity, powering new devices like the smartphone. The nature of developing technologies such as artificial intelligence and machine learning suggests that continuing transformation and change is the norm.
This has not escaped the notice of your Lordships’ House. Earlier this year we debated many of these issues in the new Digital Economy Act. We have a new Select Committee to examine artificial intelligence, chaired by the noble Lord, Lord Clement-Jones, who is not able to be in his place today as the committee is hearing evidence this afternoon. In March, the Communications Committee published a timely report on growing up with the internet, and just before the Summer Recess the EU Select Committee gave us a very helpful report on data protection. Just yesterday I moved the Second Reading of the Telecommunications Infrastructure (Relief from Non-Domestic Rates) Bill, which will help pave the way for a full-fibre future and 5G. Personal data is the fuel of all these developments. Data is not just a resource for better marketing, better service and delivery. Data is used to build products themselves. It has become a cliché that data is the new oil.
Twenty years ago data protection rights were used to obtain a copy of your credit record or to find out what information about you a public authority had collected. Today we worry daily about cyberattacks, identity theft and online crime. But we are fortunate that our existing laws have protected us well. For all the technological change I have described, we have successfully preserved our rights and freedoms, and we have strong oversight in the shape of an internationally respected Information Commissioner.
Looking ahead, we have three objectives. First, with all this change we need to maintain trust. Data must be secure, with transparency over how they are used and a proportionate but rigorous enforcement regime in place. Secondly, we must support future trading relationships. The free flow of data across international boundaries, subject to safeguards, must be allowed to continue. Thirdly, we must ensure that we can continue to tackle crime in all its guises and protect national security, making sure that our law enforcement agencies can work in partnership domestically as well as internationally.
The Data Protection Bill meets these objectives. It will empower people to take control of their data, support UK businesses and organisations through the change, ensure that the UK is prepared for the future after we have left the EU, and, most importantly, it will make our data protection laws fit for the digital age in which an ever increasing amount of data is being processed. The Bill meets and exceeds international standards, and, with its complete and comprehensive data protection system, will keep the UK at the front of the pack of modern digital economies.
The Bill makes bespoke provision for data processing in three very different situations: general data processing, which accounts for the vast majority of data processing across all sectors of the economy and the public sector; law enforcement data processing, which allows the effective investigation of crime and operation of the criminal justice system while ensuring that the rights of victims, witnesses and suspects are protected; and intelligence services data processing, which makes bespoke provision for data processed by the three intelligence agencies to protect our national security.
The reform of protections for the processing of general personal data will be of greatest interest to individuals and organisations. We are setting new standards for protecting this data in accordance with the general data protection regulation, known as the GDPR. Individuals will have greater control over and easier access to their data. They will be given new rights and those who control data will be more accountable.
In our manifesto at the general election we committed to provide people with the ability to require major social media platforms to delete information held about them, especially when that information related to their childhood. The new right to be forgotten will allow children to enjoy their childhood without having every personal event, achievement, failure, antic or prank that they posted online to be digitally recorded for ever more. Of course, as new rights like this are created, the Bill will ensure that they cannot be taken too far. It will ensure that libraries can continue to archive material, that journalists can continue to enjoy the freedoms that we cherish in this country, and that the criminal justice system can continue to keep us safe.
The new right to data portability—also a manifesto commitment—should bring significant economic benefits. This will allow individuals to transfer data from one place to another. When a consumer wants to move to a new energy supplier, they should be able to take their usage history with them rather than guess and pay over the odds. When we do the weekly supermarket shop online, we should be able to move our shopping list electronically. In the digital world that we are building, these are not just nice-to-haves; they are the changes that will drive innovation and quality, and keep our economy competitive.
The Bill will amend our law to bring us these new rights and will support businesses and others through the changes. We want businesses to ensure that their customers and future customers have consented to having their personal data processed, but we also need to ensure that the enormous potential for new data rights and freedoms does not open us up to new threats. Banks must still be allowed to process data to prevent fraud; regulators must still be allowed to process data to investigate malpractice and corruption; sports governing bodies must be allowed to process data to keep the cheats out; and journalists must still be able to investigate scandal and malpractice. The Bill, borrowing heavily from the Data Protection Act that has served us so well, will ensure that essential data processing can continue.
Having modernised our protections for general data, in Part 3 the Bill then updates our data protection laws governing the processing of personal data by the police, prosecutors and other criminal justice agencies. The Bill will strengthen the rights of data subjects while ensuring that criminal justice agencies can continue to use and share data to investigate crime, bring offenders to justice and keep communities safe. The Bill does not just implement the recent directive on law enforcement data protection; it ensures that there is a single domestic and transnational regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector.
People will have the right to access information held about them, although there are carefully constructed exemptions to ensure that investigations, prosecutions and public safety are not compromised. People will always have the right to ensure that the data held about them is fair and accurate, and consistent with the data protection principles.
Part 4 protects personal data processed by our intelligence agencies. We live in a time of heightened and unprecedented terrorist threat. We are all grateful for the work done to protect us, especially by those whom we see every day protecting us in this House. The intelligence services already comply with robust data-handling obligations and, under the new Investigatory Powers Act, are subject to careful oversight. My noble friend Lady Williams signed the latest commencement order in August to bring into force provisions relating to the oversight of investigatory powers by the Investigatory Powers Commissioner and the other judicial commissioners.
Data processing by the intelligence agencies requires its own bespoke data protection regime, not least because the GDPR standards were not designed for this kind of processing and data processing for national security purposes is outside the scope of EU law. That is why this part of the Bill will instead be aligned with the internationally recognised data protection standards found in the draft modernised Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data.
Noble Lords will be familiar with the role of the Information Commissioner, whose role is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Bill provides for her to continue to provide independent oversight, supervising our systems of data protection, but we are also significantly enhancing her powers. Where the Information Commissioner gives notices to data controllers, she can now secure compliance, with the power to issue substantial administrative penalties of up to 4% of global turnover. Where she finds criminality, she can prosecute.
The Bill modernises many of the offences currently contained in the Data Protection Act, as well as creating two new offences. First, as recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care, the Bill creates a new offence of the unlawful re-identification of de-identified personal data. To elaborate, huge data sets are used by researchers, as well as by those developing new methods of machine learning, and these are often pseudonymised to protect individual privacy. We need to ensure that those who seek to gain through re-identification are clear that we will not tolerate assaults on individual privacy, nor on the valuable data assets that are fuelling our innovative industries.
Secondly, the Bill creates a new offence of altering or destroying personal data to prevent individuals accessing them. Such an offence is already in place in relation to public authorities, but now it will apply to data controllers more generally. We are equipping the commissioner with the powers to deal with a wider range of offending behaviour.
Cybersecurity is not just a priority for the Government but a deep running concern of this House. Effective data protection relies on organisations adequately protecting their IT systems from malicious interference. Our new data protection law will require organisations that handle personal data to evaluate the risks of processing such data and implement appropriate measures to mitigate those risks. Generally, that means better cybersecurity controls.
Under the new data protection framework, if a data breach risks the rights and freedoms of an individual, data controllers—both for general data and law enforcement purposes—are required to notify the Information Commissioner within 72 hours of the breach taking place. In cases where there is a high risk, businesses must notify the individuals concerned. This landmark change in the law will put the need for serious cybersecurity at the top of every business priority list and ensure that we are safer as a nation.
As we move into the digital world of the future, the Data Protection Bill will both support innovation and provide assurance that our data are safe. It will upgrade our legislation, allowing the UK to maintain the gold standard in this important field. Of critical importance, strong protections of personal data are the key to allowing free flows of data to continue between the EU and UK as we build a new partnership. I look forward to hearing noble Lords’ comments on the Bill. I beg to move.