Amendment 21

Automated Vehicles Bill [HL] - Committee (1st Day) (Continued) – in the House of Lords at 8:45 pm on 10 January 2024.

Alert me about debates like this

Baroness Brinton:

Moved by Baroness Brinton

21: Clause 6, page 4, line 39, at end insert—“(6) A person may not be an authorised self-driving entity unless they meet the following requirements—(a) they have obtained a certificate of compliance with data protection legislation from the Information Commissioner’s Office for their policy in regard to the handling of personal data,(b) their policy in regard to the handling of personal data clearly outlines who has ownership of any personal data collected, including after the ownership of a vehicle has ended, and(c) they are a signatory to an industry code of conduct under the UK General Data Protection Regulation.”Member's explanatory statementThis amendment seeks to probe a number of concerns around data protection and ownership and seeks to prevent authorisation of companies as self-driving entities unless robust personal data practices are in place.

Photo of Baroness Brinton Baroness Brinton Liberal Democrat

My Lords, we move to a group that looks at data protection issues, which were covered at Second Reading. In this group, I have Amendment 21, the Clause 42 stand part notice and Amendments 35 and 36. I have found the Information Commissioner’s Office response to the joint consultation from the Law Commission and the Scottish Law Commission on automated vehicles, dated March 2021, extremely helpful. That response set out the legislative landscape and said, in paragraph 6:

“The consultation refers to Directive 2002/58/EC, known as the ePrivacy directive (‘ePD’), however, reference should be given instead to PECR, which is the UK law that gives effect to the ePD … Section 17.54 notes that the legislator ‘clearly did not have AVs … in mind’ when the Directive was enacted, and that ‘At the time, the typical terminal equipment was a telephone handset’ … Therefore, care must be taken when interpreting the legislation, so that its underlying rationale, and technology neutral approach is fully understood and any proposals accord with its objectives. The ICO has produced guidance” on this. It is saying that GDPR rules are clearly not enough on their own.

I was grateful at Second Reading for the Minister’s clear response on the protection of personal data— I may disagree with what he said but I was grateful for the clarity of the response. He said:

“However, data must remain properly protected. Self-driving vehicles will be subject to existing data protection laws in the UK. Our proposed Bill does not alter that, so manufacturers and government will have to ensure that data is protected”.—[Official Report, 28/11/23; col. 1072.]

I remain concerned that the Bill, especially Clause 42, sets out a very high level, a top level, of legislation—whether primary or secondary, of which we know nothing yet—by which information will be protected, but it does not put in place the mechanisms by which individual people could rest assured that their personal data was being appropriately protected. The ICO further commented on personal data in its response to the Law Commission, at paragraph 12:

“Automated vehicles pose particular challenges in relation to personal data, as often they will process the personal data of several individuals: owners, drivers, passengers and even pedestrians. If the personal data of these users is processed inappropriately, there is a heightened risk of intrusion into individuals’ work and private lives. The Government and technology providers should therefore adopt a data protection by design and default approach, ensuring that privacy protections are built into the design and development of automated vehicles”.

To return to the Bill, Clause 42(4) sets out the offence of breaching data protection, but then Clause 42(5) gives a very wide range of defences, which is, frankly, quite worrying. It says:

“But it is a defence to prove that—(a) the person from whom the information was obtained as described in subsection (1) consented to the disclosure or use, or (b) the recipient reasonably believed that the disclosure or use was lawful”.

I have been trying to think through what this might mean in practice. Let us say that you call an AV—it could be yours; it could be a neighbourhood vehicle; it could be a taxi; it could even be getting on a bus—and when you call it, it will ask you, probably in your app, to confirm the terms and conditions. We all do this every day when we go online; we just tick “Yes”, but do we know what the operating licence holder might be doing with our personal data? Worse, the licence holder or a future recipient of that data, somebody else in the chain of information, might think that disclosure was lawful. Amendment 21 sets out the baseline good practice for any organisation that is dealing with personal data, especially data that the individual is not necessarily aware of.

I want to give the Committee an example I experienced when a number of people and organisations were involved in handling personal data. My dentist—please do not laugh; it is relevant—requires patients to sign online, before they are seen every time, that they are content with their personal, medical and other personal data being held, so that the surgery can better look after patients, with an assurance that it will be held appropriately. That is fine. A couple of years ago, the regular online form changed, and after page one I was asked to sign a different set of Ts and Cs from a specialist data processing company. I clicked through, read the 17-odd pages and discovered that in the small print this multibillion-dollar company wanted my permission to be able to pass my data, medical and personal, on to other interested parties in its group and for other associated services. This included insurance companies, providers of healthcare and pharmaceuticals. I was not happy.

When I raised it with the dental surgery, it was really shocked. It had not clocked the detail because it had not clicked through two or three times, as I had to do, and it dealt with it straightaway, but I am making a point: we are not expecting a single authorised organisation to process all the data. There will be many different tracks coming down the line, and the problem here was that this was an American company using American law, not GDPR. The defence in Clause 42(5) would have succeeded, because one would have automatically ticked on the Ts and Cs thing on the app. That is one of the reasons that, at Second Reading, I probed on protection for data. I hope that my amendments will strengthen what the Government are planning to do.

Amendment 21 sets out the criteria that would have to be met before a person or a body would be permitted to be authorised as a self-driving entity. First, they must

“have obtained a certificate of compliance with data protection legislation” from the ICO for their policy of handling of personal data. Secondly, their policy relating to handling personal data of clients, passengers et cetera must clearly outline

“who has ownership of any personal data collected, including after the ownership of a vehicle has ended”.

Thirdly, they must be

“a signatory to an industry code of conduct under the UK General Data Protection Regulation”.

Because I remain concerned about Clause 42, I have laid that it should not stand part, partly as a probing issue to get the issues out and bring a response from the Minister. I hope the Minister can provide the Committee with stronger reassurance than that given at Second Reading, given the 10 pages of response from the ICO to the Law Commission consultation.

I have two further amendments in this group. In every debate so far—and in meetings with the Minister—the Government have made it plain that the Bill is charting new territories and new technologies that not one other country has yet managed to do. Much of the focus on the Bill is understandably on vehicles, but the other element of newer and untested technology is how data will be used. We know just from the advances in AI over the last few months, let alone year, how fast it changes. Amendment 35 sets out for an annual report to Parliament on the use of personal data in relation to automated vehicles. This way, when the sector responds it can see how many breaches there are and how new technology as yet unseen and unknown—not even thought of—will affect individuals. Equally importantly, we will be able to see trends in data collection so that Governments and Parliament can consider whether further legislation is needed to further regulate the collection of data. Amendment 36 sets out the requirement for the Secretary of State to consult with the ICO in relation to the collection of personal data prior to the Secretary of State making any regulations in relation to personal data collection.

I know that the noble Lord, Lord Liddle, made the point about the Secretary of State making these decisions, and I just want to add at this point that this Government have had a habit of pushing an enormous amount of information into secondary legislation. I think we all understand that some of it needs to be there but, particularly with new technologies and new areas, Parliament is very concerned about giving permission for things that are not yet even understood, let alone explicit.

I also want to add that I support the other amendments in this group from my noble friend Lady Bowles and from the noble Lord, Lord Holmes of Richmond, all of which strengthen the protections needed for a technology that will have even more access to people’s personal data than we know now, whether it is commercial or third-party data. All the amendments in this group are following the ICO’s principal concern.

I say again that AVs pose a risk to individual rights if they have insufficient control over their data and their data protection rights. The ICO says that data systems for AVs should have a data protection system by a design and default approach. After all, it is a new technology.

I really look forward to hearing the Minister’s response. I beg to move.

Photo of Baroness Bowles of Berkhamsted Baroness Bowles of Berkhamsted Liberal Democrat

My Lords, I have four amendments in this group. I am looking more at the commercial interest side of things, partly because “information” is a very broad word that can mean all kinds of things. My Amendment 29 adds to the end of Clause 14 that information sharing

“must respect rights of ownership and privacy, including with a view to compensation in respect of any commercial rights”.

I will talk more on compensation in connection with later amendments as well, but there is a significant issue here.

Under Clause 14, authorisation requirements may state that there has to be information sharing with the Secretary of State, public authorities and private businesses. Clause 14(4) says that the purpose of the shared information must be disclosed, which is fair enough as far as it goes, but says nothing about privacy or commercial rights. Further, the information may not belong to the body being authorised. It may belong to individuals. Even in an anonymised state, it may belong to others than the authorised entity. I accept that there may be instances where sharing is needed—accidents and failures come immediately to mind—but there will still need to be ways to make sure that neither individual nor commercial rights are undermined.

Others are far more expert than I on the personal data side, but I have some claim to understanding intellectual property rights, as my profession was as a patent attorney. Here, and elsewhere in the Bill, there seems to be no recognition of these rights, of the multiple entities in the chain that may hold them or of the disastrous effect that disclosures in these terms may have, particularly in forcing smaller companies out of their only protections and out of business. If their information, commercial or otherwise, must be disclosed to other bodies, they will end up undermined, which will leave us with only the megabusinesses that have the power and size to withstand such conditions.

What specific attention has been given to intellectual property rights? I am happy to discuss this with the Minister or officials if that would be helpful. Fundamentally, is there an intention to set aside such rights and, if so, under what conditions? Meanwhile, my suggestion is to put in a reference to observation of commercial and privacy rights.

Amendments 34 and 42 are also relevant to intellectual property. They would insert a provision that

“both fair and reasonable compensation” for commercial data

“and protection of personal data are provided”.

Amendment 34 would put this at the end of Clause 42, on protection of information, and Amendment 42 would place it at the end of Clause 88, on the collection, sharing and protection of data. The final subsections of both clauses state that provisions made are

“not to be taken to authorise disclosure or use that would be liable to harm the commercial interests of any person, except to the extent that” the provision otherwise applies or

“the person disclosing or using the information reasonably considers such disclosure or use necessary in view of the purpose of the regulations”.

This provision is useless. It offers commercial and personal protection, but that protection can be taken away by either the provision itself or a person who wants to disclose or use the information. That seems extraordinary. This drives a coach and horses through personal and intellectual property rights.

Whereas in my previous amendment I was concerned about what might be confidential information, here I am also concerned about flouting statutory patent or copyright rights. Data may be commercially confidential as well as valuable, and the means of generating some information could well be patented. Software will have copyright. Setting that aside is astonishing, and it reads as though all those things are possible under these terms. Is it a whole new system of compulsory licensing, setting aside fair commercial reward? The Commons Transport Committee report suggested that there might be occasions when commercial interests had to be overridden, but this was a suggestion from one witness in the context of cybersecurity. I cannot envisage that a free-for-all on data was intended, as that would surely increase vulnerability and help hackers.

Have the Government decided to take that view and, if so, to what extent? Can the Minister please explain? If such a position is being suggested, it needs much tighter drafting as to circumstance and compensation. After all, when we had compulsory licensing provisions for patents, there was reasonable compensation. Those compulsory licence provisions proved both difficult and costly to implement, and ultimately were removed in the Patents Act 1977 because, among other reasons, they were against TRIPS. There may be a recent resurgence of interest, given India’s actions, but are we really joining in the repudiation of WTO positions?

Wary of that history, I think these provisions are unsustainable, as they read to me, and at the very least there should be a provision for fair compensation regarding commercial rights and, of course, protection of personal data. That is what my exploratory amendments suggest, but even compensation is tricky under international conventions, unless there is a right to refuse.

I stress again that these issues are particularly important for smaller companies and that the information that is sought may well come from such a source, as often there are consortiums surrounding how the vehicle is going to be produced in its final version. This is especially the case when looking at software and the connected vehicle aspects. Their entire protection of a small company may be based on commercial information and patent rights, and they will be destroyed if those are set aside.

Finally, my Amendment 31 relates to telling people when information that they have given in an inquiry can be used for other purposes. This amendment inserts at the end of the provision that says:

“The Secretary of State may use the information for any of the investigative purposes in relation to any regulated body, irrespective of the purpose for which it was initially obtained”.

It is another provision that leaves me somewhat queasy, but for now I am suggesting that notice has to be given to whoever gave the information. It may also be reasonable to allow an objection mechanism. The looseness of this provision, allowing use of information, also seems inconsistent with provisions elsewhere—for example, relating to inspections, where information is more closely controlled—and it also seems against judicial provisions, which surely should indicate guiding principles. I am not sure whether I have always correctly interpreted what is written from the Government’s point of view, but in interpreting what is written on the page as I see it, I think there are some substantial problems. When it comes to information being swapped from one inquiry to another, normally if you have given evidence, certainly in a court, it cannot just be then swapped and used in something else. When there are inquiries, individuals may give away information believing that it is for a narrow and specific purpose. I do not believe, if there was any confidentiality or other things around it, they have given permission for it to be swapped elsewhere.

I hope the Minister can look at my amendments and what is in the Bill, and, as well as a response now, maybe come back with a more considered response on whether there are things that can be amended along the lines that I suggest.

Photo of Baroness Randerson Baroness Randerson Liberal Democrat Lords Spokesperson (Transport) 9:00, 10 January 2024

My Lords, I support the amendments in the names of my noble friends Lady Brinton and Lady Bowles. I start by emphasising the importance and strength of the Information Commissioner’s Office’s response to the Law Commissions’ report. Amendment 36 is therefore essential because it involves the ICO in setting the rules and standards.

It seems to me that the issues are twofold: first, the issue of the protection of personal privacy and personal data, and, secondly, the issue of national security. On national security, these vehicles will have an entire knowledge of every part of the UK and the details of the traffic arrangements for the whole of the UK. Can you imagine the impact on the economy of a major cyberattack that could paralyse traffic over a considerable area? I am trying to avoid the idea of some kind of updated version of “The Italian Job”. Any kind of hacking into the system would have national security implications.

Turning to personal privacy, I will pose a couple of simple examples. Imagine that I own a car and I sell it to someone else. The car has collected my data; it knows where I visit on a daily and regular basis. Whose data is it when I sell the car to someone else? The data is an essential part of the operation of that car. It has learnt its way around my city using my favourite routes; it has amended how it operates according to my preferences. At what point does that data cease to be mine and start to belong to the car or its manufacturer? Do I have a right to say, “Wipe it, start afresh and reinstall”? If that is the case, there is the whole issue of public awareness to be tackled.

My second example is of a taxi company. I hire a taxi, so the company concerned therefore knows where I picked it up and where I left it. Does that data belong to the taxi company or to me? I realise that a taxi company now has data on things such as this, but it is in a very much less systematic way.

Turning to whether Clause 42 should stand part, I will quote a couple of sentences from the clause. It says:

“The Secretary of State may make regulations authorising the recipient to … use the information for a purpose other than the purpose for which it was obtained”.

That is a pretty bald phrase and therefore pretty risky. It adds:

“It is an offence for the recipient to … disclose the information … except as authorised by regulations under subsection (3) or any other enactment”.

That is remarkably broad. It also says that

“it is a defence to prove that … the recipient reasonably believed that the disclosure or use was lawful”.

That is a very weak position. It seems to me that in neither respect does the Bill adhere to data protection norms. I urge the Minister to take it back and look at tightening up the data protection aspects of the Bill, in relation to both data protection for the individual and, as my noble friend Lady Bowles emphasised, the commercial aspects of the rights to data.

Photo of Lord Tunnicliffe Lord Tunnicliffe Shadow Spokesperson (Defence), Shadow Minister (Transport) 9:15, 10 January 2024

My Lords, we on these Benches have no amendments in this group, largely because the area is so complex and we cannot rustle up anybody bright enough to understand it—I wish I had got a good lawyer. Hence, I would like to thank the noble Baronesses, Lady Bowles, Lady Brinton and Lady Randerson, for making the subject so interesting and explicit. The closest I got to this area was trying to read the whole Bill, which I staggered through over Christmas. I kept coming across these various little phrases, including the one about such a weak defence for giving away my data. I really feel that the three Baronesses have a very strong point. I look to the Government not to dismiss it because they were told to give no points away but to take it back and discuss with the noble Baronesses how this Bill can be improved. It is a horrible precedent to see data handled so loosely and in such a cavalier manner.

Photo of Lord Davies of Gower Lord Davies of Gower Parliamentary Under-Secretary (Department for Transport)

My Lords, once again I thank noble Lords for their contributions. I begin with Amendments 29, 34 and 42, tabled by the noble Baroness, Lady Bowles of Berkhamsted. The protection of personal and commercial data is of course a critical issue and one that requires careful consideration. On Amendments 34 and 42, all information collected and shared under Clauses 42 and 88 is subject to restrictions on unauthorised use, breach of which constitutes an offence. Where personal data is collected, this is also subject to data protection legislation. This information can be disclosed or used only for the purposes specified in the regulations made under each respective clause.

As set out in our policy scoping notes, this is a novel policy area, and it is not yet known exactly how information may need to be used or shared. However, as the examples in the notes illustrate, this is likely to be for public interest purposes such as road safety or improved passenger services. On the basis that information sharing will be proportionate and in the public interest, a requirement to pay commercial compensation would be inappropriate.

To further support data protection, the Government will be considering the recommendations by the Centre for Data Ethics and Innovation, in its report Responsible Innovation in Self-Driving Vehicles. These include a recommendation to work with the Information Commissioner’s Office to issue guidance on how data protection obligations apply to self-driving vehicles.

On Amendment 29, all information required to be shared under Clause 14 will be subject to the requirements and safeguards of data protection legislation. The Bill does not change these protections. This information will be used for regulatory purposes to ensure the safe and legal operation of self-driving vehicles. It will also be used to determine criminal and civil liabilities associated with the use of these vehicles. Again, these purposes are proportionate and in the public interest. Businesses will be aware of the regulatory requirements for information sharing prior to seeking authorisation or licensing, and the information will be subject to these obligations from the outset. There would therefore be no expectation that it could be treated as commercially confidential information which holds a market value.

I turn to Amendment 31. The department does not notify entities when using information obtained under an investigation and used in the public interest— for example, to improve road safety. In the case of Clause 22(2), the information would be used for

“any of the investigative purposes in relation to any regulated body”.

These purposes aim to ensure the continued safe and legal operation of self-driving vehicles, and are therefore in the public interest.

The amendment would place an additional administrative burden on the Secretary of State that brought minimal benefit to the regulated body in question, as the investigative purpose would continue none the less. In the case of a regulatory issue being identified, the body would be notified by the appropriate regulatory action, such as a compliance notice. This would then allow the regulated body to challenge the use of information by representations under paragraph 5 of Schedule 1.

On Amendment 21, tabled by the noble Baroness, Lady Brinton, I recognise that she made a characteristically incisive series of detailed points on these issues. I will be happy to meet with her, in addition to the separate meeting we have scheduled on accessibility, to have a fuller discussion on her questions, and I extend the same invitation to other noble Lords.

We believe it is right that the protection of personal data will be considered alongside the detailed development of authorisation requirements—it is an important issue. These requirements will be set out in secondary legislation and will be subject to consultation and impact assessment. The schemes referred to in the amendment are industry led and therefore not within the control of government. There is therefore a risk that they would not achieve the intended result.

On Amendment 35, it is the role of the Information Commissioner’s Office to regulate on data protection issues. The ICO has an existing obligation to report annually to Parliament on the commissioner’s activities. Any report by the Department for Transport would risk duplicating this work. The Department for Transport is also not the data controller for information collected by regulated bodies, which means that such reporting would be inappropriate. Further, the Secretary of State already has a duty under Article 36(4) of the UK GDPR to consult the ICO on proposals for legislative measures. Amendment 36 therefore duplicates an existing requirement.

On Amendment 55B, the Information Commissioner’s Office is the independent regulator responsible for upholding information rights in the public interest. Given its role as a whole-economy regulator, it would be unnecessary and duplicative to establish a separate third-party body, with the same expertise, to oversee the use of personal data by self-driving vehicles.

I turn to the proposal that Clause 42 be removed. Clause 42 contains provisions that constrain the use and disclosure of information obtained through the regulatory framework. The removal of these provisions would open up the possibility of personal data being processed in a much wider manner, such as for reasons of “legitimate interest”. This would amount to a weakening of the data protections in the Bill.

On the points raised about national security, whole-life cyber resilience will be tested as part of the approval processes. The UK has co-chaired the UNECE group developing standards in this area, and government is working with colleagues in the National Cyber Security Centre and the National Protective Security Authority on these issues.

Finally, on the point regarding the protection of personal data when selling a vehicle, in cases where manufacturers and supporting services store data outside the vehicle, all relevant data protections will need to be met. If a vehicle user has given access rights and connections to personal information, it is the responsibility of the user to delete the data from the vehicle. Indeed, this is the same approach as that applied to devices such as mobile phones, which contain similarly large quantities of sensitive data. I ask noble Lords not to press their amendments on this.

Photo of Baroness Bowles of Berkhamsted Baroness Bowles of Berkhamsted Liberal Democrat

Can I just clarify something? I accept what the Minister says. In most cases there may be a public interest provision and there are not statutory protections on the information that the public interests can win. But where there are—I will take the statutory protection of a patent—that is essentially exerting a Crown user provision with no compensation, which would offend against international treaties.

Photo of Lord Davies of Gower Lord Davies of Gower Parliamentary Under-Secretary (Department for Transport)

I thank the noble Baroness for that. She raised a number of important points that I have perhaps not addressed fully, and I would be very happy to go back and write to her comprehensively on a couple of them.

Photo of Lord Tunnicliffe Lord Tunnicliffe Shadow Spokesperson (Defence), Shadow Minister (Transport)

Will the Minister copy that to those who have been involved in the debate?

Photo of Lord Davies of Gower Lord Davies of Gower Parliamentary Under-Secretary (Department for Transport)

I omitted to say that I will copy in all those noble Lords.

Photo of Baroness Brinton Baroness Brinton Liberal Democrat

My Lords, I thank all the contributors to this debate. We are delighted that others have been so supportive of our amendments, which cover a considerable range of data protection issues. I am grateful to the Minister for his response and thank him, because, yes, I think a meeting is particularly important. He said in response to my noble friend Lady Bowles’s first amendment that the Government are not yet sure how data will be used or shared. That is the reason that the ICO is so clear that there needs to be extra provision, because otherwise, if everyone just assumes that it will be the way we have always used GDPR, we—being the Government and the public—are going to come a cropper pretty quickly, not least because technology has changed, is changing and will change again so fast. I hope that, as we have our meeting and progress towards Report, the Government will seriously consider following the ICO’s advice and make very clear, designed-by-default arrangements for this sector, which will be like none that we have seen so far. With that, I withdraw my amendment.

Amendment 21 withdrawn.

Amendment 22 not moved.

Clause 6 agreed.

House resumed.

House adjourned at 9.27 pm.