Data Protection Bill [HL] - Second Reading

Part of the debate – in the House of Lords at 4:08 pm on 10th October 2017.

Alert me about debates like this

Photo of Lord Stevenson of Balmacara Lord Stevenson of Balmacara Opposition Whip (Lords) 4:08 pm, 10th October 2017

My Lords, I thank the Minister for his comprehensive introduction to the Bill. I look forward to working with him, in what seems to be a never-ending stream of legislation from the previously rather quiescent DCMS. This is our sixth Bill together, and long may it continue.

The Minister mentioned his talented team joining him on the Front Bench—this is a joint venture between the DCMS and the Home Office. On my side, I am joined by my noble friend Lord Kennedy and supported by my noble friends Lord Griffiths and Lord Grantchester.

I congratulate the Bill team on the excellence of the paperwork that we have received—I am sure everybody has read it, word for word, all the way through; it is worth it. They are obviously ahead early in the “Bill team of the year” stakes, a prize which they won easily last time on the Digital Economy Bill, and they are building on that.

We also welcome the chance to debate the excellent House Of Lords EU Committee report, not least because of the substantial weight of evidence that it has brought to this debate, which I will refer to later.

This is a tricky Bill to get hold of, first because of its size and volume. It is a bulky package and it is not even complete because we are told to expect a large number of amendments still being processed and not yet available which may—who knows?—change it substantially. Even without that, it has 300 paragraphs and 18 schedules, one of which helpfully signposts the way that the Government intend to make changes to the Bill so that the GDPR becomes domestic law when we leave the EU, even though the amendments to make that happen will actually be made by secondary legislation. This is “Hamlet” without the prince.

The GDPR itself, which runs to 98 paragraphs—or articles, as it calls them—and which will be the new data-processing law that comes into force in May 2018 whether or not we in Parliament have agreed it, is not actually printed in the Bill. That therefore raises the concern that—post Brexit, courtesy of another, separate Bill, probably by secondary legislation—the regulations will become UK law without ever having been scrutinised by either House of Parliament. I wonder if other noble Lords share my feeling that this is a bad precedent and, if so, what we might do about it. I suspect that this decision might have made sense were we to stay in the EU but we are going to leave, so there is a gap in our procedures here. That is compounded by the fact that this is a Lords starter Bill that comes to us without the benefit of consideration in the other place, and particularly without the usual evidence-taking sessions that ensure that a Bill meets the needs of those affected by it.

I have a suggestion: given the expertise displayed in the EU Committee report HL Paper 7 that we are debating in parallel today, could the authorities arrange for that committee to look carefully at the Bill and at the GDPR in its printed form and arrange for that committee to bring forward either a report or simply a testimony about what the GDPR contains, how it is reflected in the Bill and how it works? It would help the House to do the job that we ought to be doing of scrutinising this legislation. I gather that the committee is due to meet shortly and perhaps the noble Lord, Lord Jay, who speaks in a few minutes, might respond if he can. I am sorry for embarrassing him if he is not prepared for that.

The Government claim that the Bill,

“will bring our data protection laws up to date”,


“ensure that we can remain assured that our data is safe as we move into a future digital world”.

We will probe that rather florid assertion in Committee over the next few weeks, paying particular reference to the needs of business to have certainty about the rules that will be applied in this key sector of our economy in the medium and long term and the need for consumers, particularly vulnerable people and children, to be better supported and protected in this brave new digital world. What we are embarking on here is the precursor to the legislative nightmare that will accompany all our Brexit discussions. As we will hear from the noble Lord, Lord Jay, and others from the EU Committee who considered this, the key issues are what will happen if we leave the Common Market and the customs union, and whether there are any ways in which the Government can secure unhindered and uninterrupted flows of data between the UK and EU post Brexit. The report concludes that,

“any arrangement that resulted in greater friction around data transfers between the UK and the EU post-Brexit could hinder police and security cooperation. It could also present a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage”. 

In his opening remarks, the Minister said all the right things about the Government’s commitment to unhindered and uninterrupted flows of data post Brexit, but the Bill comprehensively fails to set out how they plan to deliver that outcome. Worse, it may contain measures in Parts 3 and 4 that make it impossible to achieve the “adequacy” agreement, which is the only card that they have left to play post Brexit. You could not make it up.

Some 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with EU member states. Even if the Bill successfully aligns UK law with the EU data protection framework as at 25 May 2018, that does not mean that the Bill makes proper provision for the future. On the UK’s exit from the EU, the UK will need to satisfy the European Commission that our legislative framework ensures an “adequate level of protection”, but achieving a positive adequacy decision for the UK is not as uncontentious as the Government think. Under article 45, the GDPR requires the European Commission to consider a wide array of issues such as the rule of law, respect for fundamental rights, and legislation on national security, public security and criminal law when it makes its decision. As has already been pointed out by several commentators, the current surveillance practices of the UK intelligence services may jeopardise a positive adequacy decision, as the UK’s data protection rules do not offer an equivalent standard of protection to that available in the rest of the EU. We will need to pursue this disjuncture in Committee.

The Government seem to have lost sight of the need to ensure continuity during the transition period and afterwards. Surely they must have measures in place to reassure businesses that they will pass the adequacy test and ensure “stability and certainty”, particularly for SMEs, as pointed out by the European Union Committee. If there was any doubt about the importance of this, I draw the attention of your Lordships to a briefing from the ABI which states that the ability to transfer data between firms in different jurisdictions is of particular importance to our insurance and long-term saving providers, who rely on data to provide their customers with the best products at the best price. The association goes on to say that:

“Losing the ability to access, and make use of, European and international data flows risks isolating the UK from the increasingly globalised market. Creating a system where UK insurers have to abide by dual or multiple regulatory systems in order to transfer data internationally will create inefficiencies, legal uncertainty, and risks damaging the global competitiveness of UK insurance”.

My second point was also raised by the European Union Committee. It is about how to establish sustainable longer-term arrangements, about which the Bill is remarkably silent. Even if the UK’s data protection rules are aligned with the EU regime to the maximum extent possible at the point of Brexit, once we leave the EU, policies will be developed within the EU 27 without our input. The EU will inevitably amend or update its rules either by new regulations or by case law derived from ECJ/EU decisions. This is of course a toxic issue for Brexiteers, but it needs to be addressed in the Bill and, no doubt, in many other areas. Perhaps a way forward here would be for the Information Commissioner to have a duty placed on her to make regulations which reflect the changes taking place in the EU, or the Bill could provide for some form of lock-step arrangement under which statutory instruments would be triggered when UK laws need to be amended. We will look at this again in Committee.

I turn now to data protection. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. Ensuring that the public can trust that their data is handled safely, whether in the public or the private sector, is important for everyone. If we cannot get this right in the Bill, people will not benefit to the fullest extent possible from the new data-handling services which are coming on stream now and in the future. We welcome the Government’s decision—a rather surprising one—to gold-plate some of the requirements of the legal enforcement directive, particularly the fact that the Bill will ensure that for the first time the data protection regime applies to the intelligence services. Indeed, as the Information Commissioner has observed, including these provisions in a single piece of primary legislation is welcome, although there is a need for much more detail about how this will work in practice.

My point on this is that there seems to be an imbalance in the Bill, with much more consideration being given to the rights of data subjects. At a time of increasing concern about the use and misuse of personal data, is there not a need for a broader and far more ambitious set of regulatory structures for data capitalism, as it is now called? The big tech companies have for far too long got away with the conceit that they are simply neutral platforms. They are not; they are active media and information companies, and their stock market valuations are based on the data flows they generate and how they can be monetised. With that role surely should come broader societal responsibilities, but the Bill does not go into this area at all. There is nothing about regulating fake news, no attempt has been made to ensure that data companies are covered by competition and other regimes which apply to media companies, and there are no proposals to deal with the allegations being made about undue influence by social media companies and others on politics and elections both here and in the US. We will certainly table amendments in this area.

On more concrete issues about the rights of data subjects, we have a number of issues to pursue, although today I shall concentrate on only three: children and the “age of consent”, the rights of data subjects in relation to third-party use of their data, and the proper representation of data subjects. I shall end with some thoughts on the Leveson report and its implications for this Bill.

The Bill proposes to set the age at which children can consent to the processing of their data through “information society services” which include websites and social media platforms at 13 years. That is a surprising decision and no credible evidence has been adduced to support it. Understandably, there is much concern about this low age limit, particularly as the general data protection regulation gives discretion in a range up to 16 years of age. Last month, the Children’s Commissioner for England said:

“The social media giants have … not done enough to make children aware of what they are signing up to when they install an app or open an account”.

These are often the first contracts a child signs in their life, yet,

“terms and conditions are impenetrable, even to most adults”.

I think we can all say “Hear, hear” to that. The commissioner also said:

“Children have absolutely no idea that they are giving away the right to privacy or the ownership of their data or the material they post online”.

Setting an age limit of 13, or even 16, would almost certainly be illegal under the UN Convention on the Rights of the Child, to which the UK is a signatory. Perhaps the Government could respond on that point.

The Children’s Society argues that if companies continue to rely on their current practices—whereby they allow only over-13s to have an account but have no age verification process to check that children who are consenting are the age they state themselves to be—then there will continue to be widespread breaches of both the companies’ own rules and this new Data Protection Act. In the Bill, it is unclear how breaches will be handled by the Information Commissioner and what penalties will be put in place for those companies failing to verify age properly.

There is also no consideration in the Bill about capacity, rather than simply age, or protection for vulnerable children. Although there are arguments for setting the age limit higher—or indeed lower—there is surely a need both for proper evidence to be gathered and for a minimum requirement for companies to have robust age verification systems and other safeguards in place before any such legislation is passed. We will pursue that. There is also the question of the overlap this derogation has with the right to be forgotten, which the Minister mentioned. That right kicks in only at age 18; we need to probe why that is the case and how that will work in practice.

During Committee, we want to check that the current rules affecting data subjects’ personal data are unchanged by the new laws. Taking the data of workers and prospective workers as an example, there are concerns about where personal data has been collected: it should be gathered, used and shared by employers only following affirmative, meaningful consent. The recent disgraceful cases of blacklisting come to mind in that respect, and we are also concerned about whistleblowers’ rights. The House has been very strong on that point.

Concern about the increasing use of algorithms and automatic data processing needs to be addressed, perhaps requiring recording, testing and some level of disclosure about the use of algorithms and data analysis, particularly when algorithms might affect employment or are used in a public policy context. Related to that is the question of the restriction on data subjects’ rights in relation to processing data contained in documents relating to criminal investigations. Here, we agree with the Information Commissioner that the provision, as drafted, restricts not just access rights but the right to rectification, the right to erasure and the restriction of processing. We welcome greater clarification on the policy intent behind this as we go into Committee.

We welcome the Government’s proposal for an offence of knowingly or recklessly re-identifying de-identified personal data without the data controller’s consent. The rapid evolution of technology and growth in the digital economy has led to a vast increase in the availability and value of data. There is a clear need for robust safeguards against misuse in this area.

On representation, we welcome the provision in article 80(1) of the GDPR which gives greater ability for civil society and other representative bodies to act on behalf of citizens and mirrors consumer rights in goods and services. However, article 80(2) contains a provision that the Government have chosen not to implement, under which consumer groups that operate in the privacy field can act on behalf of data subjects without a particular complainant. We think that this super-complainant system would help to protect anonymity and create a stronger enforcement framework. We know we are supported in that belief by the Information Commissioner.

The wider question here is perhaps whether data subjects in general, particularly vulnerable ones, have sufficient support in relation to the power of media companies that want access and use their data. Does any of us know what really happens to our data? The Information Commissioner’s Office already has a huge area of work to cover and may struggle to cover all its new responsibilities. Having a better system for dealing with complaints submitted by civil society bodies may be a good first step, but I wonder whether we might think harder about how this will be organised—perhaps modelled on the Caldicott data guidelines.

Finally, there has been a lot of debate since the publication of the Leveson report on the cultural practices and ethics of the press, particularly on the role of a future regulatory framework. There has been far less discussion on Lord Leveson’s recommendations to extend data protection regulation. I reassure the Government that we do not see this Bill as an opportunity to rerun many of the excellent debates or table amendments that we have already considered in your Lordships’ House in recent years. Of course, much remains to be done in this field, and the Government’s lack of action is a national disgrace and a flagrant betrayal of the victims who trusted them and gave them a once-in-a-generation chance to sort out the situation, which they have comprehensively failed to take. However, if amendments of this type come forward, we will consider them on their merits, although a better approach would be for an all-party consensus to try to bridge the gap once and for all between the press and Parliament. I hope to have further discussions on this point.

I give notice that we will table amendments which probe why the Government have decided not to bring forward the Leveson recommendations covering: exemptions from the Data Protection Act 1998, available for investigative newsgathering by journalists; extending the scope for statutory intervention over the press by the Information Commissioner; and changes to the power, structure, functions and duties of the ICO relevant to the press. We will also probe whether the Government intend to implement amendments previously made to Section 55 of the Data Protection Act by virtue of Section 77 of the Criminal Justice and Immigration Act 2008, which would allow terms of imprisonment of up to two years to be imposed for offences of unlawfully obtaining disclosure of personal data. As the Information Commissioner has previously noted, this has much wider application than just to the press, because there is an increasing number of cases of blagging and unauthorised use of personal data which must be stopped.

The Government have set themselves a very tight timetable to pass this Bill into law before the end of April 2018. We will support the main principles of the Bill, but, as indicated above, many areas need to be scrutinised in depth before we can agree to them. I hope that we can gather more evidence and find a way of bringing Hamlet back into the play by looking in detail at the GDPR before it becomes the law of the land. If data is the new oil, we owe it to the country and particularly our children to get this right and to get our laws fit for the digital age.