Sunday 29 October 2017

Briefing paper to Peers in advance of the Committee Stage of the Data Protection Bill in the House of Lords [30 October 2017]

Your Lordships
This bill has been eagerly awaited by data protection professionals, whose careers depend on its successful passage.
Please don’t worry too much that the bill is so very hard to understand. It's the Government’s way of ensuring that a select band of privacy professionals will be offered very significant salaries to decipher its contents and recommend ways of complying with the key provisions.
The General Data Protection Regulation, which this Bill aims to compliment, but dare not copy out, was also a wasted opportunity to develop laws that the majority of those who were to be affected by them might understand.
Its complexity will also fuel countless debates over the coming years in obscure (data protection-related) internet chat rooms over precisely what the text means, and whether data protection regulators (in the UK’s case, it’s the Information Commissioner) have (a) agreed with their view and (b) bothered to embark on any enforcement action against those that disagree with their view.
Many organisations will not realise just how the legislation affects them, so they will not take steps to develop or improve their data protection practices. To be frank, most organisations I know will not be able to comply with all the requirements even by the end of 2018, even if they’ve already commended their compliance programme. 
And, with regard to those that have not commenced their preparations yet, even if their management were to take the decision today that they should take steps to comply, there’s no way that they could meet the May 2018 deadline (the date when regulators are able to commence enforcement action against offenders). This is because the vast majority of experienced data protection professionals (those that have a reasonable understanding of the requirements) are already fully engaged with other clients.
Regardless of what amendments are accepted today, in a few months time the focus will move from what the statute will say to how it will be enforced. The legislation in itself is unlikely to influence to a significant extent how many data controllers will change their current behaviours.
What will really matter is what guidance will be issued by the ICO, and what enforcement action will be taken against the miscreants.
Just as the value of an investment can rise or fall, the fact that the ICO has been seen by many data protection professionals as a pragmatic, open and engaged regulator in the past does not guarantee that it will continue to adopt a pragmatic and engaged stance in the future. The personality of the person occupying the post of Information Commissioner will be key, as will the resources that are available to the ICO to meet the demands that will be placed on it.
Using a phrase adopted by a previous Information Commissioner, the ICO has, in the past, aimed to be selective to be effective. Whether, in times of extreme public sector cuts, it can continue to recruit and retain the right calibre of staff to enable it to continue to be as effective is an open question. In the short term, I doubt it.
If the new legislation is to have much credibility, it needs to be enforced. It is my hope that the legislation will be enforced, because that will highlight the fault lines that exist. It will expose the difficulty that so many organisations will have in evidencing how they comply with all aspects of the law. It will clarify the areas where compliance is unduly burdensome and, in most respects, a practical impossibility.
Because it is only when the faults in this bill are exposed that a coherent business case will be developed to replace it with proposals that are far fitter for purpose.
The UK has passed data protection legislation in 1984, and 1998, and it will do so again in 2018.
I would not be surprised to see another Data Protection Bill before Parliament by 2024.
….


Wednesday 11 October 2017

The debate on the Data Protection Bill in the House of Lords

What follows below is an edited version of the debate in the House of Lords of the Second Reading of the Data Protection Bill,  held on 10 October.  Colleagues that prefer not to read the entire (46,709 word) transcript of the 5 hour debate will get an impression of the key interventions in this (16,000 word) summary:
My Lords, I am delighted to be moving the Second Reading today.
New technologies have started innumerable economic revolutions, and the pace of change continues to accelerate. Data is not just a resource for better marketing, better service and delivery. Data is used to build products themselves. It has become a cliché that data is the new oil.
In our manifesto at the general election we committed to provide people with the ability to require major social media platforms to delete information held about them, especially when that information related to their childhood. The new right to be forgotten will allow children to enjoy their childhood without having every personal event, achievement, failure, antic or prank that they posted online to be digitally recorded for ever more. Of course, as new rights like this are created, the Bill will ensure that they cannot be taken too far. It will ensure that libraries can continue to archive material, that journalists can continue to enjoy the freedoms that we cherish in this country, and that the criminal justice system can continue to keep us safe.
The new right to data portability—also a manifesto commitment—should bring significant economic benefits. This will allow individuals to transfer data from one place to another. When a consumer wants to move to a new energy supplier, they should be able to take their usage history with them rather than guess and pay over the odds. When we do the weekly supermarket shop online, we should be able to move our shopping list electronically. In the digital world that we are building, these are not just nice-to-haves; they are the changes that will drive innovation and quality, and keep our economy competitive.
The Bill will amend our law to bring us these new rights and will support businesses and others through the changes. We want businesses to ensure that their customers and future customers have consented to having their personal data processed, but we also need to ensure that the enormous potential for new data rights and freedoms does not open us up to new threats. Banks must still be allowed to process data to prevent fraud; regulators must still be allowed to process data to investigate malpractice and corruption; sports governing bodies must be allowed to process data to keep the cheats out; and journalists must still be able to investigate scandal and malpractice. The Bill, borrowing ​heavily from the Data Protection Act that has served us so well, will ensure that essential data processing can continue.
Noble Lords will be familiar with the role of the Information Commissioner, whose role is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Bill provides for her to continue to provide independent oversight, supervising our systems of data protection, but we are also significantly enhancing her powers. Where the Information Commissioner gives notices to data controllers, she can now secure compliance, with the power to issue substantial administrative penalties of up to 4% of global turnover. Where she finds criminality, she can prosecute.
I congratulate the Bill team on the excellence of the paperwork that we have received—I am sure everybody has read it, word for word, all the way through; it is worth it. They are obviously ahead early in the “Bill team of the year” stakes, a prize which they won easily last time on the Digital Economy Bill, and they are building on that.​
This is a tricky Bill to get hold of, first because of its size and volume. It is a bulky package and it is not even complete because we are told to expect a large number of amendments still being processed and not yet available which may—who knows?—change it substantially. Even without that, it has 300 paragraphs and 18 schedules, one of which helpfully signposts the way that the Government intend to make changes to the Bill so that the GDPR becomes domestic law when we leave the EU, even though the amendments to make that happen will actually be made by secondary legislation. This is “Hamlet” without the prince.
The GDPR itself, which runs to 98 paragraphs—or articles, as it calls them—and which will be the new data-processing law that comes into force in May 2018 whether or not we in Parliament have agreed it, is not actually printed in the Bill. That therefore raises the concern that—post Brexit, courtesy of another, separate Bill, probably by secondary legislation—the regulations will become UK law without ever having been scrutinised by either House of Parliament. I wonder if other noble Lords share my feeling that this is a bad precedent and, if so, what we might do about it. I suspect that this decision might have made sense were we to stay in the EU but we are going to leave, so there is a gap in our procedures here. That is compounded by the fact that this is a Lords starter Bill that comes to us without the benefit of consideration in the other place, and particularly without the usual evidence-taking sessions that ensure that a Bill meets the needs of those affected by it.
I have a suggestion: could the authorities look carefully at the Bill and at the GDPR in its printed form and arrange for that committee to bring forward either a report or simply a testimony about what the GDPR contains, how it is reflected in the Bill and how it works? It would help the House to do the job that we ought to be doing of scrutinising this legislation.
In his opening remarks, the Minister said all the right things about the Government’s commitment to unhindered and uninterrupted flows of data post Brexit, but the Bill comprehensively fails to set out how they plan to deliver that outcome. Worse, it may contain measures in Parts 3 and 4 that make it impossible to achieve the “adequacy” agreement, which is the only card that they have left to play post Brexit. You could not make it up.
Some 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with EU member states. Even if the Bill successfully aligns UK law with the EU data protection framework as at 25 May 2018, that does not mean that the Bill makes proper provision for the future. On the UK’s exit from the EU, the UK will need to satisfy the European Commission that our legislative framework ensures an “adequate level of protection”, but achieving a positive adequacy decision for the UK is not as uncontentious as the Government think.
On more concrete issues about the rights of data subjects, we have a number of issues to pursue, although today I shall concentrate on only three: children and the “age of consent”, the rights of data subjects in relation to third-party use of their data, and the proper representation of data subjects. I shall end with some thoughts on the Leveson report and its implications for this Bill.​
The Bill proposes to set the age at which children can consent to the processing of their data through “information society services” which include websites and social media platforms at 13 years. That is a surprising decision and no credible evidence has been adduced to support it. Understandably, there is much concern about this low age limit, particularly as the general data protection regulation gives discretion in a range up to 16 years of age. Last month, the Children’s Commissioner for England said:
“The social media giants have … not done enough to make children aware of what they are signing up to when they install an app or open an account”.
These are often the first contracts a child signs in their life, yet,
“terms and conditions are impenetrable, even to most adults”.
I think we can all say “Hear, hear” to that. The commissioner also said:
“Children have absolutely no idea that they are giving away the right to privacy or the ownership of their data or the material they post online”.
Setting an age limit of 13, or even 16, would almost certainly be illegal under the UN Convention on the Rights of the Child, to which the UK is a signatory. Perhaps the Government could respond on that point.
The Children’s Society argues that if companies continue to rely on their current practices—whereby they allow only over-13s to have an account but have no age verification process to check that children who are consenting are the age they state themselves to be—then there will continue to be widespread breaches of both the companies’ own rules and this new Data Protection Act. In the Bill, it is unclear how breaches will be handled by the Information Commissioner and what penalties will be put in place for those companies failing to verify age properly.
There is also no consideration in the Bill about capacity, rather than simply age, or protection for vulnerable children. Although there are arguments for setting the age limit higher—or indeed lower—there is surely a need both for proper evidence to be gathered and for a minimum requirement for companies to have robust age verification systems and other safeguards in place before any such legislation is passed. We will pursue that. There is also the question of the overlap this derogation has with the right to be forgotten, which the Minister mentioned. That right kicks in only at age 18; we need to probe why that is the case and how that will work in practice.
Concern about the increasing use of algorithms and automatic data processing needs to be addressed, perhaps requiring recording, testing and some level of disclosure about the use of algorithms and data analysis, particularly when algorithms might affect employment ​or are used in a public policy context. Related to that is the question of the restriction on data subjects’ rights in relation to processing data contained in documents relating to criminal investigations. Here, we agree with the Information Commissioner that the provision, as drafted, restricts not just access rights but the right to rectification, the right to erasure and the restriction of processing. We welcome greater clarification on the policy intent behind this as we go into Committee.
We welcome the Government’s proposal for an offence of knowingly or recklessly re-identifying de-identified personal data without the data controller’s consent. The rapid evolution of technology and growth in the digital economy has led to a vast increase in the availability and value of data. There is a clear need for robust safeguards against misuse in this area.
On representation, we welcome the provision in article 80(1) of the GDPR which gives greater ability for civil society and other representative bodies to act on behalf of citizens and mirrors consumer rights in goods and services. However, article 80(2) contains a provision that the Government have chosen not to implement, under which consumer groups that operate in the privacy field can act on behalf of data subjects without a particular complainant. We think that this super-complainant system would help to protect anonymity and create a stronger enforcement framework. We know we are supported in that belief by the Information Commissioner.
The wider question here is perhaps whether data subjects in general, particularly vulnerable ones, have sufficient support in relation to the power of media companies that want access and use their data. Does any of us know what really happens to our data? The Information Commissioner’s Office already has a huge area of work to cover and may struggle to cover all its new responsibilities. Having a better system for dealing with complaints submitted by civil society bodies may be a good first step, but I wonder whether we might think harder about how this will be organised—perhaps modelled on the Caldicott data guidelines.
I give notice that we will probe whether the Government intend to implement amendments previously made to Section 55 of the Data Protection Act by virtue of Section 77 of the Criminal Justice and Immigration Act 2008, which would allow terms of imprisonment of up to two years to be imposed for offences of unlawfully obtaining disclosure of personal data. As the Information Commissioner has previously noted, this has much wider application than just to the press, because there is an increasing number of cases of blagging and unauthorised use of personal data which must be stopped.
The Government have set themselves a very tight timetable to pass this Bill into law before the end of April 2018. We will support the main principles of the Bill, but, as indicated above, many areas need to be scrutinised in depth before we can agree to them.
It is clear that the Brexit decision and timetable will cast a long shadow as we debate the Bill. The Information Commissioner, Elizabeth Denham, has already warned that data adequacy status with the EU will be difficult to achieve within the Government’s Brexit timetable and a major obstacle has been erected by the Government themselves. The European withdrawal Bill makes it ​clear that the EU Charter of Fundamental Rights will not become part of UK law as part of the replication process, yet Article 8 of the charter relating to personal data underpins the GDPR. How then will we secure adequacy without adhering to the charter?
While referring to the Information Commissioner, I put on record our view that the Information Commissioner’s Office must continue to be adequately funded and staffed during this period of great uncertainty. The biggest changes since our debates on the Data Protection Act 1998, or even the early stages of the GDPR, which I was involved in as a Minister at the MoJ from 2010 to 2013, is that the threat to civil liberties and personal freedoms now comes not only from agencies of the state but from corporate power as well.
We have become accustomed to the idea that some financial institutions are too big to fail. Are we approaching a situation where these global tech giants are too big to regulate? We have to devise legislation and have the political courage to bring the global tech giants within the compass of the rule of law.
These modern tech giants operate in a world where the sense of privacy which was almost part of the DNA of my own and my parents’ generation is ignored with gay abandon by a generation quite willing to trade their privacy for the benefits, material and social, that the new technology provides.
The elephant in the room always in discussing a Bill such as this is how we get the balance right between protecting the freedoms and civil liberties that underpin ​our functioning liberal democracy while protecting that democracy from the various threats to our safety and well-being. The sophisticated use of new technologies by terrorist groups and organised crime means that we have to make a sober assessment of exactly what powers our police and security services need to combat the terrorist attack and disrupt the drug or people trafficker or the money launderer. The fact that those threats are often overlapping and interconnected makes granting powers and achieving appropriate checks and balances ever more difficult.
On the issue of crime fighting, one point was made with particular vigour by Thomson Reuters. With offerings such as World-Check, it plays a key role in Europe and globally in helping many private sector firms and public authorities identify potential risks in their supply chains, customers and business relationships. It made it clear that it will be needing a number of clarifications in the Bill so that it will be able to continue to provide its important services, and we will probe those concerns and the concerns of others in the private sector in Committee.
There is no doubt that the greater transparency and availability of data provided by government has contributed to citizens’ better understanding of and access to government information and services, but public concerns remain about the use of data in certain sectors. For example, although there are clear benefits to medical research from giving researchers access to anonymised medical data, it remains a matter of concern to the public, the media and the profession itself.
I do not believe that sprinkling Bills with Henry VIII clauses is an answer to the challenge of future-proofing. Perhaps there is a case for expanding the remit of the National Data Guardian to act as an early warning system on wider data abuse—or that of the Information Commissioner or our own Select Committee—but there is a need. I fear that without some permanent mechanism in place, we will be for ever running up the down escalator trying to match legal protections to technical capacity. But that is no excuse for not trying to improve the Bill before us.
My Lords, as chairman of the EU Home Affairs Sub-Committee, I will speak mainly about the EU Committee’s report on the EU data protection package, which we are debating alongside the Second Reading of the Data Protection Bill.
In their recent Brexit position paper, The Exchange and Protection of Personal Data—A Future Partnership Paper, the Government said that they wanted to maintain free and uninterrupted data flows with the EU after we leave; and in proposing a new security and criminal justice treaty between the UK and the EU in her recent Florence speech, the Prime Minister laid out her ambition for a model underpinned by, among other things, high standards of data protection. Our report supports this objective: free and uninterrupted data flows matter to us all. But the committee was struck by the absence of clear and concrete proposals for how the Government plan to deliver that objective. The stakes are high, not least because the introduction of greater friction in data transfers could present a real barrier to future trade. It is hard to overstate the importance of cross-border data flows to the UK economy. Getting on for half of all large EU digital ​companies are based in the UK, and three-quarters of the UK’s cross-border data flows are with EU countries. What is more, any impediments to data flows following our withdrawal from the EU could seriously hinder police and security co-operation, and that means that lives, not just money, are at stake.
In our report, we considered four elements of the EU’s data protection package: the general data protection regulation—the GDPR—which the Data Protection Bill seeks to transpose into UK law; the police and criminal justice directive; the EU-US privacy shield, and the EU-US umbrella agreement. Both the regulation and the directive will enter into force in May 2018, while we are still a member of the EU. The agreements with the US are already in force, but will cease to apply to the UK after our withdrawal. Our report considers the Government’s policy options both short and long term.
The committee wanted first to look at possible data protection arrangements once the UK becomes a third country outside the EU, and we heard evidence on two broad options. The first option is for the UK Government to secure a so-called adequacy decision from the European Commission which would certify that the UK offered a standard of protection that was “essentially equivalent” to EU data protection standards. To date, the Commission has adopted 12 such decisions. The second option would be for individual data controllers and processors to adopt their own safeguards using tools such as standard contractual clauses and binding corporate rules. Our report comes to a clear conclusion that this second option would be less effective. The tools available to individual data controllers, including small businesses, are bureaucratic and would be vulnerable to legal challenges. We therefore agree with the Information Commissioner that the Government should seek an adequacy decision for the UK as a whole. This should offer certainty for businesses, particularly SMEs. It would also follow the approach taken by Switzerland, which has secured an adequacy decision from the EU. I am therefore pleased that the Government’s position paper also calls for a future relationship that builds on the adequacy model.
But there is a fly in this particular ointment. The general data protection regulation only provides for adequacy decisions for third countries, not countries leaving the EU. Decisions also follow a lengthy procedure, so the chances of having an adequacy decision in place by March 2019 are small. So to avoid a cliff edge, we will need transitional arrangements. The Government’s position paper acknowledges this but lacks detail. I hope that in responding to this debate the Minister will update us on the Government’s thinking on transition and perhaps provide some more of that detail. In particular, I hope that as a Home Office Minister she can comment on the risks facing law enforcement. One of the most striking findings in our inquiry was that as a third country the UK could find itself held to higher standards of data protection than as a member state. This will be the case both when the European Commission considers an adequacy decision and when the UK’s data retention and surveillance regime is tested before the Court of Justice, at which point we will no longer be able to rely on the national security exemption enjoyed by member states under the EU treaties. The United States has fallen foul of ​EU data protection law in the past, and it is not impossible that the United Kingdom will do the same when it is no longer a member state.
On a related theme, the committee also considered whether the UK’s data protection regime would continue to be influenced by EU legislation after withdrawal. What we found was that the general data protection regulation will continue to apply to transfers of personal data from the EU to the UK, significantly affecting UK businesses that handle EU data. If we obtain an adequacy decision, the rulings of the new European Data Protection Board and the Court of Justice will have an effect, albeit indirectly, by altering the standards that the UK will need to maintain an adequate level of protection. This means that there will be no clean break. We will also continue to be affected by EU rules on the onward transfer of personal data to third countries. This could be a particular problem in the field of security, whereby our approach to sharing personal data with, say, the United States could put any adequacy decision at risk. In summary, it seems likely that EU and UK data protection practices will need to remain alive long after we leave the EU.
The Bill that we are debating today reflects a comprehensive EU data protection regime which has been heavily influenced over the years by the United Kingdom. Withdrawal from the EU means that we stand to lose the institutional platform from which we have exercised that influence. The committee’s report therefore concludes that the Government must aim to retain the UK’s influence wherever possible, starting by securing a continuing role for the Information Commissioner’s Office on the European Data Protection Board. I am glad that the Government’s data protection position paper spells out our aim to do just that, but in the longer term, the Government will also need to find a way to work in partnership with the EU to influence the development of data protection standards at both the EU and the global level. The continued success of our commercial and security relations with the EU will depend on that.
Although I also welcome the rights and protections for children that the Bill offers, not least the right to be forgotten, there is one very important point of detail where reconsideration is urgently needed, namely the age of consent for children to give their personal information away online in exchange for products and services without a parent or guardian needing to give their permission. The proposals in Clause 8, as we have already heard, set this age of consent at 13. However, a recent YouGov survey of the public commissioned by the BCS, the Chartered Institute for IT, shows very little support for this. Indeed, a whopping majority of 81% thought the age should be set at either 16 or 18. The Bill’s Explanatory Notes state that the Government have chosen this age—the youngest possible allowed under the incoming GDPR rules—because it is,​
“in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children (e.g. Facebook, Whatsapp, Instagram)”.
In other words, a de facto standard age of consent for children providing their personal information online has emerged, and that age has been set by the very companies that profit from providing these services to children. It might be that 13 is an appropriate age for consent by children to give their information away online, but surely that should be decided in other ways and with much greater reference to the public, and I do not think this has happened. It is certainly at odds with the results of this recent survey.
Moreover, Growing Up with the Internet, the recently published report of the Select Committee on Communications, on which I am privileged to serve, examined the different ways in which children use the internet through the different stages of childhood. We received lots of evidence that lumping together all young people between the ages of 13 and 18 was really not helpful, and that much more research was needed. To bow to the commercial interests of Facebook and others therefore feels at the very least premature, and the example of its usefulness given in the Explanatory Notes—that this would somehow ease access to,
“educational websites and research resources”,
so that children could “complete their homework”—somewhat naïve, particularly in the light of otherconclusions and recommendations from the Growing Up with the Internet report, not least that digital literacy, alongside reading, writing and arithmetic, should be considered a “fourth R”; that the Government should establish the post of a children’s digital champion at the centre of government; that children must be treated online with the same rights, respect and care that has been established through regulation offline; and that all too often commercial considerations seem to be put first. So 13 might be the right age but it might not, and at the very least, further consultation with the public and with parents is needed.
As the UK leaves the EU, it will be essential—I use the word “essential”—for the UK to be able to demonstrate adequacy. I hope the Government will assure us on that point and produce the necessary regulatory framework to enable it to happen. Adequacy does not mean that the UK should simply cut and paste all EU legal provisions where reliance on national law and derogations are real options in front of us. There are some where we should be availing themselves of them. Nor do we need to make privacy safeguards—which are very important—so demanding that they become self-defeating, standing in the way of benefiting patients, in the case of medicine, and the community more generally.
The Government have made it clear that they want the Bill to support research, which is extraordinarily welcome. I hope that when she replies, the Minister will be able to say something about how the Government will approach the changes that will be needed to deal with research issues in the UK. The Bill classes universities as public bodies, and universities lie at the core of the ​research community. It is fair enough for universities to be classed as public bodies—that is what they are—but the legislation then denies them the right to invoke public interest, or even legitimate interest, as a basis for their research, and thus obliges them to seek explicit consent when using data at every stage of processing. This becomes very onerous if you are doing a long study. That may on the face of it seem reasonable but, in practice, it can do real harm. The whole point of research is that often at the outset it cannot be 100% certain where it may lead or whether further processing or trials may be necessary. You can get a situation in which unexpected and unplanned-for research is available and could yield real dividends. That is especially true of interventional research. If, as a result of wanting to take it to a further stage, the data processing demands that there should be another round of explicit consent, you get into a situation whereby universities—unlike some of the public bodies in government, which do not have to follow this procedure—have to go round again to all those who offered their personal data in the first place. Seeking the consent of holders of the data anew may simply not be possible, especially in long-term research projects. People move house or become incapable; they also die.
Even if those problems can be overcome—and I think they are real—there is a question of proportionality. Why make consent so onerous that it makes research too difficult in practice and too costly to engage in? There needs to be greater proportionality on this issue and greater alignment between the various bodies that use data in this way, and there needs to be some alternative to consent as the basis for engaging in some kinds of research. Numerous government mechanisms are available, not least ethics committees, which are a key component of modern research and could provide the necessary safeguards against abuse. I recognise that there need to be safeguards, but I suggest that we should use some imagination in how they could be brought about.
I am involved with an organisation called Unique, which deals with rare genetic disorders, whereby datasets to be useful have to be gathered globally. The number of people with those afflictions is so tiny in any given population that you have to go across the globe to connect useful datasets, which means in turn that you come up against some of the provisions that govern transnational transmission of data. However, the rarity of such individual disorders also makes every patient’s data precious to other affected individuals, because it is potentially a very tight community. No other organisation is dealing with that affliction in that way, and Unique can give support and advice to otherwise ​lonely parents and their equally isolated medics, who turn to Unique for information about alike cases. There is a network there.
By insisting on onerous consent regimes, we are in danger of disabling such organisations from continuing their pioneering work. In Unique, it is not uncommon for parents who have not been in touch for a long time suddenly to turn to it with a request for help. Try telling families, many of whom are not in the UK but are in third countries, who are coping with the daily stress of caring for a disabled child or adult, that they must be sure to keep up online with the stringent requirements of UK data legislation and that failing to do so will mean that they run the severe risk of no longer being able to get the kind of individualised attention and support that they seek from the very organisations set up to help them. The problem is that the law will lay down the need for the regular reconsultation and re-consent of individuals in very precise ways, and that such individuals might not reply, not understanding the potential hazards involved in failing to do so. One might say that data anonymisation might solve the problem. It solves some problems, but it creates new ones in an organisation set up for certain purposes where the idea is that one fellow sufferer can help another. So piling difficulties on small organisations—there are other difficulties that I have not even mentioned—might lead ultimately to an unwanted outcome, which will be a reduction in effectiveness.
I would like the Government to think about the possibility that they should allow for the creation of governance and accountability regimes that will fit special circumstances—and I am sure that we will come across others as we go through this legislation. The existence of the Information Commissioner should not result just in enforcing the law effectively and well; it should provide an opportunity for creativity under her auspices and the ability to create variations on governance regimes where they are needed.
I am rather concerned about the clarity of this very substantial Bill. It is explained that the format is chosen to provide continuity with the Data Protection Act 1998, but whether or not as a result of this innocent, no doubt valuable, choice, it seems to me that some confusion is thereby created.
First, there is the fact that the GDPR is the elephant in the room—unseen and yet the main show in town. You could call it Macavity the cat. The noble Lord, Lord Stevenson, dubbed the Bill Hamlet without the Prince. Traces exist without the GDPR being visible. Is the consequent cross-referencing to an absent document the best that can be done? I realise that there are constraints while we are in the EU, but it detracts from the aims of simplicity and coherence. Apparently, things are predicted to be simpler post Brexit, at least in this regard, when the GDPR will be incorporated into domestic law under the withdrawal Bill in a “single domestic legal basis”, according to the Explanatory Memorandum. Does that mean that this Bill—by then it will be an Act—will be amended to incorporate the regulation? It seems odd to have more clarity post Brexit than pre-Brexit. It would no doubt be totally unfair to suggest any smoke-and-mirrors exercise to confuse the fact of the centrality of EU law now and in the future.
Secondly, we seem to have some verbal gymnastics regarding what “apply” means. The departmental briefing says that the Bill will apply GDPR standards, but then we have the so-called “applied GDPR” scheme, which is an extension of the regulation in part 2, chapter III. Can the Minister elaborate on precisely what activities ​part 2, chapter III covers? The Bill says that manual unstructured files come within that category. I do not know how “structured” and “unstructured” are defined, but what other data processing activities or sectors are outside the scope of EU law and the regulation, and are they significant enough to justify putting them in a different part?
I will highlight, rather at random, some other examples which need reflection. We may need seriously to look at the lack of definition of “substantial public interest” as a basis for processing sensitive data, or even of public interest. I think the noble Lord, Lord Stevenson, mentioned the failure or the non-taking-up of the option under Article 80(2) of the regulation to confer on non-profit organisations the right to take action pursuing infringements with the regulator or court. This omission is rather surprising given that a similar right exists for NGOs, for instance, for breach of other ​consumer rights, including financial rights. Perhaps the Minister could explain that omission.
There is also concern that the safeguards for profiling and other forms of automated decision-making in the Bill are not strong enough to reflect the provisions of Article 22 of the GDPR. There is no mention of “similar effects” to a legal decision, which is the wording in the regulation, or of remedies such as the right of complaint or judicial redress.
Very significant is the power for the Government under Clause 15 to confer exemptions from the GDPR by regulation rather than put them in primary legislation. That will need to be examined very carefully, not only for domestic reasons but also because it could undermine significantly an adequacy assessment in the future.
Clause 7 refers to alternatives to consent. The noble Baroness, Lady Neville-Jones, referred briefly to the problems that arise. For many uses of personal data, explicit consent is absolutely the right legal basis for processing that data, and it is positive that, with the GDPR, data subjects’ rights have been strengthened. Medical research will usually rely on a person providing informed consent for ethical reasons, but it is essential that there are alternatives to consent as a legal basis. That is because GDPR-compliant explicit consent sets a high bar for information provision that it may not always be feasible to meet. In many research resources, such as biobanks—I hope that my noble friend Lady Manningham-Buller will refer to that as the chairman of the Wellcome Trust, which is responsible for initiating the UK Biobank—the participants give consent for their pseudonymised data to be used.
In some studies it is not possible to seek consent, either because a very large sample size is needed to generate a robust result, and that would be practically difficult to obtain, or because seeking consent would introduce bias. The use of personal health data without specific explicit consent is sometimes essential for research for the health of the population. If researchers could not process medical records for research without specific explicit patient consent, they could not run cancer registries, which are extremely important in recording all cases of cancer; they could not monitor the hazards of medical procedures, such as the recently discovered implications of CT scans for long-term disease development; they could not assess the unexpected side-effects of routinely prescribed medicines; and they could not identify sufficiently large numbers of people with a particular disease to invite them to take part in trials for the treatment of that disease. The example I would give is the recruitment of 20,000 suitable people for the Heart Protection Study on statins, which has helped transform medical practice throughout the world. I am sure that many noble Lords use statins. This began with the identification of 400,000 patients with a hospital record of arterial disease and that information could not have been accessed without their permission. There are good examples of how this provision would cause a problem as it is enunciated in Clause 7.​
We have a well-established, robust system of governance and oversight for non-consensual medical research in the UK; for example, through the Health Research Authority, a confidentiality advisory group, advising on Section 251 approvals to override the common law duty of confidentiality. Patient groups actively advocated for research exemptions during the passage of the GDPR—for example, through the Data Saves Lives campaign. I hope that, in Committee, we might get an opportunity to explore this further to see whether we can somehow modify the Bill to make this possible.
I come now to the public interest issues in the same clause. I understand that the Government intend the functions listed in Clause 7 not to be exhaustive, and to allow, for example, research conducted by universities or NHS trusts to use the public interest legal basis. Again, the noble Baroness, Lady Neville-Jones, briefly touched on that. It would provide much-needed clarity and assurance to the research community, particularly to those in the universities, if this could be made explicit in the Bill. A huge amount of research will rely on public interest as a legal basis. The Government have recognised the value of making better use of data for research, and the recent life sciences industrial strategy confirms the tremendous potential benefits for patients and the public if we can unlock the value of data held by public authorities and promote its use in the public interest.
There is currently a highly risk-averse culture in data protection, driven in part because people are unclear about the rules and what they can or cannot do with data for their purposes—hence I referred to the need for better governance of the data. This is why the public interest legal basis matters so much for research. The DP Bill is an opportunity to set out very clearly what the legitimate basis for processing personal data can be. Setting out a clear public interest function for research will give researchers confidence to know when they are operating within the law. If necessary, any specification of research in Clause 7 could be qualified by safeguards to ensure that the legal basis is used only when appropriate.
This is a welcome and necessary Bill. It is not perfect, but I leap to its defence in at least one respect—namely; the absence of the GDPR regulations themselves from the Bill. On the Government’s website, there is a truly helpful document, the Keeling schedule, which sets out how the GDPR intersects with the text of this Bill. After noble Lords have read it a few times, it comes close to being comprehensible.
The Commission has estimated that this [GDPR] would lead to savings of around €2.3 billion a year for businesses. But while the rules might make things simpler for businesses in that respect, it is possible that they will also make it easier for citizens to demand to know what information is held on them in paper form as well as in digital form. In fact, that is one of the main purposes of the Bill. So we might find that businesses have more rather than less to do. I wonder whether that has been costed. It is a good thing that citizens should find out what information people hold on them, but we should not pretend that the exercise will be free of cost to businesses. The Federation of Small Businesses estimates an additional cost of £75,000 per year for small businesses, and obviously much more for larger ones.
The Bill contains a bespoke regime for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes. The aim of this, which is laudable, is to,
“ensure that there is a single domestic and trans-national regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector”,
but what is the law enforcement sector? To what extent do banks, for example, fall into the law enforcement sector? They have obligations under the anti-money laundering rules to pull suspicions together and to share those across borders—not just across European borders but globally. How are those obligations tied in with the GDPR obligations in the Bill? Businesses, especially banks, will need to understand the interplay between the GDPR regulations, the anti-money laundering regulations and all of the others. The Government would not, I know, want to create the smallest risk that by obeying one set of laws you disobey another.
That sort of legal understanding and pulling things together will take time. It will take money and training for all organisations. There is a real concern that too many organisations are simply hoping for the best and thinking that they will muddle through if they behave sensibly. But that is not behaving sensibly. They need to start now if they have not started already. The Federation of Small Businesses says that:
“For almost all smaller firms, the scope of the changes have not even registered on their radar. They simply aren’t aware of what they will need to do”.
Yet it goes on to say that,
“full guidance for businesses will not be available until next year, potentially as late as spring. The regulator cannot issue their guidance until the European Data Protection Board issue theirs”,
so there is a lot of work to be done.
My final point echoes one raised by the noble Lord, Lord McNally, relating to the issue of the re-identification of personal data which has been de-identified, as set out in Clause 162. The clause makes it a crime to work out to whom the data is referring. The very fact that this clause exists tells us something: namely, that whatever you do online creates some sort of risk. If you think that your data has been anonymised, according to the computational privacy group at Imperial College, you will be wrong. It says:
“We have currently no reason to believe that an efficient enough, yet general, anonymization method will ever exist for high-dimensional data, as all the evidence so far points to the contrary”.
If that is right, and I believe it is, then de-identification does not really exist. And if that is right, what is it in terms of re-identification that we are criminalising under this clause? In a sense, it is an oxymoron which I think needs very careful consideration. The group at Imperial College goes on to suggest that making re-identification a criminal offence would make things worse because those working to anonymise data will feel that they do not have to do a particularly good job. After all, re-identifying it would be a criminal offence, so no one will do it. Unfortunately, in my experience that is not entirely the way the world works.
I hope that the Minister will set out some clarification of the intentions of the Bill in relation to the consent of children. Clause 8(b) includes an exemption for “preventive or counselling services”. Does that mean that a child could give their consent to these websites before the age of 13 or not at all? What is defined as a “preventive or counselling service”?
Clause 187 gives further criteria for the consent of children, but only children in Scotland where a child’s capacity to exercise their consent should be taken into account, with the expectation that a child aged 12 or over is,
“presumed to be of sufficient age and maturity to have such an understanding”.
The Explanatory Notes to the Bill state that this clause must be read with Clause 8, which provides that the age limit is 13. Is Clause 187 intended to say that the age of digital consent cannot go below 13, which is the position of Article 8(1) of the GDPR, or that there might be circumstances when a child who is 13 cannot consent for genuine reasons? Either of these scenarios seem to give rise to confusion for children, parents and the websites that children access.
After all the detailed discussions about age verification that we had earlier in the year, there is an argument for age verification to apply to Clause 8. How will websites that require a child to verify that they are 13 years old ensure that the child is the age that they say they are without some requirement for the site to prove the age of the child? This is surely a meaningless provision. I hope that when the Minister comes to reply, he will set out the Government’s position on this matter and explain what penalties a website which breaches this age requirement will face..
There is much that is good in the Bill, but I do not believe that it is yet the best that it can be.
I must start with a confession. Despite the kind references today to my career and supposed expertise, I found this Bill incredibly hard to read and even harder to understand. I fear that we will not do enough to stop the notion, referred to by the noble Lord, Lord McNally, that we are sleepwalking into a dystopian future if we do not work hard to simplify the Bill and make it accessible to more people, the people to whom I feel sure the Government must want to give power in this updated legislation. Let us ensure that the Bill is a step forward for individual power in the rapidly changing landscape in which we sit, a power that people understand and, importantly, use. Let us make it an indicator to the world that the UK balances the importance of tech start-ups, innovation, foreign investment and big businesses with consumer and citizen rights.
The Government should be commended for getting ahead of movements that are growing all over the world to free our data from the tech giants of our age. As data becomes one of our most valuable resources—as we have heard, the new oil—individuals have begun to want a stake in determining for themselves when, how and to what extent information about them is held and communicated to others. So I welcome the clear data frameworks, which are important not only for the best digital economy but for the best digital society.​
I agree with much that has been said today but want to make three specific points on the Bill. First, from any perspective, the GDPR is difficult to comprehend, comprising sweeping regulations with 99 articles and 173 recitals. The Bill contains some wonderful provisions, of which my favourite is:
“Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR … In this Chapter, “the applied Chapter 2” means Chapter 2 of this Part as applied by this Chapter”.
Giving people rights is meaningful only if they know that they have them, what they mean, how to exercise them, what infringement looks like and how to seek redress for it. There are questions about the practical workability of a lot of these rights. For example, on the right to portability, how would the average person know what to do with their ported data? How would they get it? Where would they keep it? There was a funny example in a newspaper recently where a journalist asked Facebook to send them all the data that it had collected over the previous eight years and received a printed copy of 800 pages of data—extremely useful, as I think you will agree. What about your right to erase your social media history? I should declare my interest as a director of Twitter at this point. How can you remove content featuring you that you did not post and in which people may have mentioned you? What happens as the complexity of the algorithm becomes so sophisticated that it is hard to separate out your data? How does the immense amount of machine learning deployed already affect your rights, let alone in the future?
Awareness among the public about the GDPR is very low—the Open Data Institute has done a lot of work on this which is soon to be published. It is very unlikely that ordinary people understand this legislation. They will have no understanding of how their rights affect them. A lot of education work needs to be done.
For businesses, too, the learning curve is steep, especially for foreign investors in European companies. Some are betting that the sheer scope of the GDPR means that the European regulators will struggle to enforce it. When the GDPR came up at a recent industry start-up event, one industry source said that none of the people to whom they had spoken could confidently say that they had a plan. Every online publisher and advertiser should ensure that they do, but none of them is taking steps to prepare.
So much has been done by this Government on building a strong digital economy that it is important to ensure that small and start-up businesses do not feel overwhelmed by the changes. What substantial help could be planned and what education offered? What help is there with compliance? By way of example, under Clause 13, companies have 21 days to show bias from algorithms, but what does this mean for a small AI start-up which may be using anonymised intelligence data to build a new transport or health app? What do they have to think about to make good legal decisions? As my noble friend Lord Jay so brilliantly argued, how can we ensure post-Brexit legislative certainty for them in building global successful businesses?
This brings me to my second question: why has the right of civil groups to take action on behalf of individuals been removed from the UK context for the ​GDPR? Instead, the Bill places a huge onus on individuals, who may lack the know-how and the ability to fight for their rights. As has been mentioned, article 80(1) of the GDPR allows for representative bodies—for example, consumer groups—to bring complaints at the initiation of data subjects.. This omission is worrying, given how stretched the ICO’s resources are and the impact this could have on its support for the public. Granting rights over data to individuals is meaningless if individuals lack the understanding to exercise those rights and there is no infrastructure within civic society to help them exercise those rights. There does not seem to be any good reason why the UK has chosen not to take up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws.
Resourcing the ICO, Part 5 of the Bill, is essential and my third main area of interest. The ICO has considerable responsibilities and duties under the Bill towards both business and individuals: upholding rights, investigating reactively, informing and educating to improve standards, educating people and consumer groups, and maintaining international relationships. I feel exhausted thinking about it. The ICO’s workload is vast and increasing. It lacks sufficient resources currently. In March 2017, the Information Commissioner asked Parliament if it could recruit 200 more staff but the salaries it offers are significantly below those offered by the private sector for roles requiring extremely high levels of skills and experience. These staff are going to become ever more important and more difficult to recruit in the future.
The ICO currently funds its data protection work by charging fees to data controllers. It receives ring-fenced funding for its freedom of information request work from the Government. This income can increase the number of data controllers only as it increases: it is not in line with the volume or complexity of work, and certainly not with that in the Bill. Perhaps it is time for another method of funding, such as statutory funding.
Finally, I would like briefly to add my thoughts on how the Bill affects children. As many noble Lords have said, the YouGov poll does indeed say that 80% of the public support raising the age to 18—currently it is 13, as detailed by the Government. However, there are many other surveys, particularly one by the Children’s ​Society, which show that 80% of 13 year-olds currently have a social media account and 80% of people under 13 have lied or twisted their age in order to establish one. This is the realpolitik in the war of understanding the internet with our children. I respectfully disagree with the noble Baroness, Lady Howe, and others in the Chamber: I feel strongly that it is wrong to place policing at the heart of how we deal with relationships between children and the internet. We need to take a systems-based approach. I have seen my godchildren set up fake accounts and whizz around the internet at a speed I find alarming. We have to deal on their terms. We have to help educators, parents and people supporting children, not use the long arm of the law.
Like other noble Lords, I am concerned about public trust and confidence in the system. At the moment there is a need for guidance on preparation for the new regime. I visited a charity last week and asked about the availability and accessibility of advice. The immediate, almost knee-jerk response was, “It’s pretty dire”—followed by comments that most of what is available is about fundraising and that there is a particular lack of advice on how to deal with data relating to children. The comment was made, too, that the legislation is tougher on charities than on the private sector. I have not pinned down whether that is the case, but I do not disbelieve it. The Federation of Small Businesses has made similar points about support for small businesses.
Part of our job is to ensure that the Bill is as clear as possible. I was interested that the report of the committee of the noble Lord, Lord Jay, referred to “white space” and language. It quoted the Information Commissioner, who noted trigger terms such as “high-risk”, “large scale” and “systematic”. Her evidence was that until the new European Data Protection Board and the courts start interpreting the terms,
“it is not clear what the GDPR will look like in practice”.
I found that some of the language of the Bill raised questions in my mind. For instance—I am not asking for a response now; we can do this by way of an amendment later—the term “legitimate” is used in a couple of clauses. Is that wider than “legal”? What is the difference between “necessary” and “strictly necessary”? I do not think that I have ever come across “strictly necessary” in legislation. There are also judgment calls implicit in many of the provisions, including the “appropriate” level of security and processing that is “unwarranted”.
Finally, I return to the committee report, which has not had as much attention as the Bill. That is a shame, but I am sure we will come back to it as source material. I noted the observation that, post Brexit, there is a risk that, in the Information Commissioner’s words, the UK could find itself,
“outside, pressing our faces on the glass … without influence”,
and yet having,
“adopted fulsomely the GDPR”.
That image could be applied more widely.
For the public interest, terminology should be extended so that we can look at issues of safeguards beyond consent and make sure that it is possible to do clinical trials and interventional work. Why is that the case? It is because health data offers the most exciting opportunities to do things which we have only recently been able to do, understand the causes of disease in detail over populations and have a much better chance of getting to diagnosis early. We could deal with many things if we could only diagnose them far earlier and develop treatments for them—indeed, prevent some of them ever materialising. Health data also helps us to measure the efficacy of treatment. We all know of plenty of treatments that over years have proved to be useless, or unexpected ones that have proved to be outstanding. Looking at big-scale data helps us to do that. That data helps in precision medicine, which we are all moving towards having, where the drugs we receive are for us, not our neighbour, although we apparently both have the same illness. Health data can also help with safety as you can collect the side-effects that people are suffering from for particular drugs. It helps us evaluate policy and, of course, should help the NHS in planning.
I know that the Government want to support scientists to process data with confidence and safety. The industrial strategy comments that data should be “appropriately accessed by researchers”. “Appropriate” is a hopeless word; we do not know what it means, but still. The document also states that access for researchers to,
“currently available national datasets should be accelerated by streamlining legal and ethical approvals”.
We are not there yet.
I want to say a word about public support. The Wellcome Trust commissioned an Ipsos MORI poll last year before the Caldicott review to assess public support for the collection of data. In many cases, there is significant public support for that provided it is anonymised—although I know there are questions about that—but what people are fussed about is that their data is sold on for commercial purposes, that it is used for marketing or, worst of all, that it is used to affect their insurance policies and life insurance. Therefore, we need to give reassurance on that. However, it has certainly been the case in our experience, and that of many universities, that you can recruit many people for trials and studies if they believe that their data will help others with similar diseases or indeed themselves.
I agreed with the noble Lord, Lord McNally, and his worries about standing up to the tech giants. They are not our friends. They are big, powerful companies that are not citizens of this country. They pay as little tax here as possible and several of them actively help tax evaders in order that they can make more profits out of the transactions that that involves. They control what we see on the internet through algorithms and extract vast quantities of data and know more about us than we know ourselves. In the interests of democracy we really must stand up to them and say, “No, we are the people who matter. It is great you are doing well, but we are the people who matter”. Bills like this are part of that, and it is important that we stand up for ourselves and our citizens.
My noble friend Lord Arbuthnot referred to a Keeling schedule. It would be wonderful to receive it. For some reason I cannot pick it up on the email. It is not in the documents listed on the Parliament website, not in any location, and it does not Google or come up on GOV.UK. One way or another, I think the simplest thing to ask is: please can we put it on the parliamentary website in the list of documents related to the Bill? I know that it exists, but I just cannot find it. It would be nice if it appeared on the departmental website too.
It seems to me that bits are missing in a number of areas. Where are Articles 3, 27, 22(2)(b) and 35(4) to 35(6)? Where is Article 80(2), as the noble Baroness, ​Lady Lane-Fox, mentioned? That is an absolutely crucial article. Why has it gone missing? How exactly is recital 71 implemented? I cannot see how the protections for children in that recital are picked up in the Bill. There are a lot of things that Keeling schedules are important for. In a detailed Bill like this, they help us to understand how the underlying European legislation will be reflected, which will be crucial for the acceptance of this Bill by the European Union—I pick up the point made by the noble Lord, Lord Stevenson—and what bits are missing.
And what has been added? Where does paragraph 8 of Schedule 11 come from? It is a very large, loose power. Where are its edges? What is an example of that? I would be very grateful if my noble friend could drop me a note on that before we reach Committee. What is an arguable point under that provision? Where are the limits of our economic interest so far as its influence on this Bill is concerned?
Paragraph 4 of Schedule 10 is another place that worries me. We all make our personal data public, but a lot of the time we do it in a particular context. If I take a photograph with my parliamentary-supplied iPhone, on which there is an app that I have granted the power to look at my photographs for some purpose that I use that app for, I have made that photograph and all the metadata public. That is not what I intended; I made it public for a particular purpose in a particular context—that of social media. A lot of people use things like dating websites. They do not put information on there which is intended to be totally public. Therefore, the wording of paragraph 4 of Schedule 10 seems to be far too wide in the context of the way people use the internet. Principle 2 of the Data Protection Act covers this. It gives us protection against the use of information for purposes which it clearly has not been released for. There does not appear to be any equivalent in the Bill—although I have not picked up the Keeling schedule, so perhaps it is there. However, I would like to know where it is.
On other little bits and pieces, I would like to see the public policy documents under Clause 33(4) and Clause 33(5) made public; at the moment they are not. How is age verification supposed to work? Does it involve the release of data by parents to prove that the child is the necessary age to permit the child access, and if so, what happens to that data? Paragraph 23 of Schedule 2 addresses exam scripts. Why are these suddenly being made things that you cannot retrieve? What are the Government up to here? Paragraph 4 of Schedule 2, on immigration, takes away rights immigrants have at the moment under the Data Protection Act. Why? What is going on?
There are lots of bits and pieces which I hope we can pick up in Committee. I look forward to going through the Bill with a very fine-toothed comb—it is an important piece of legislation.
In order to support archiving activities, it is essential that this legislation provide a strong and robust legal basis to support public and private organisations which are undertaking archiving in the public interest. As I understand it, this new legislation confirms the exemptions currently available in the UK Data Protection Act 1998: safeguarding data processing necessary for archiving purposes in the public interest and archiving for scientific, historical and statistical purposes. This is welcome, but there may perhaps be issues around definitions of who and what is covered by the phrase “archiving in the public interest”. I look forward to further discussion and, hopefully, further reassurances on whether the ​work of public archiving institutions such as our libraries and museums is adequately safeguarded in the Bill.
The new Bill seeks to replicate the approach of the Data Protection Act 1998, whereby there have been well-established exemptions to safeguard national security. It is obviously vital that the intelligence services be able to continue to operate effectively at home and with our European and other partners, and I look forward to our further discussion during the passage of the Bill on whether this draft legislation gives the intelligence services the safeguards they require to operate effectively.
This Bill attempts to help us tackle some big moral and ethical dilemmas, and we as parliamentarians have a real struggle to be sufficiently informed in a rapidly changing and innovative environment. I welcome the certainty that the Bill gives us in implementing the GDPR in this country in a form that anticipates Brexit and the need to continue to comply with EU data law regardless of membership of the EU in the future.
But ultimately I believe that the GDPR is an answer to the past. It is a long-overdue response to past and current data practice, but it is a long way from what the Information Commissioner’s briefing describes as,
“one of the final pieces of much needed data protection reform”.
I am grateful to Nicholas Oliver, the founder of people.io, and to Gi Fernando from Freeformers for helping my thinking on these very difficult issues.
The Bill addresses issues of consent, erasure and portability to help protect us as citizens. I shall start with consent. A tougher consent regime is important but how do we make it informed? Even if 13 is the right age for consent, how do we inform that consent with young people, with parents, with adults generally, with vulnerable people and with small businesses which have to comply with this law? Which education campaigns will cut through in a nation where 11 million of us are already digitally excluded and where digital exclusion does not exclude significant amounts of personal data being held about you? And what is the extent of that consent?
As an early adopter of Facebook 10 years ago, I would have blindly agreed to its terms and conditions that required its users to grant it,
“a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content”.
I posted on the site. It effectively required me to give it the right to use my family photos and videos for marketing purposes and to resell them to anybody. Thanks to this Bill, it will be easier for me to ask it to delete that personal data and it will make it easier for me to take it away and put it goodness knows where else with whatever level of security I deem fit, if I can trust it. That is welcome, although I still quite like Facebook, so I will not do it just yet.
But what about the artificial intelligence generated from that data? If, in an outrageous conflagration of issues around fake news and election-fixing by a foreign power to enable a reality TV star with a narcissistic personality disorder to occupy the most powerful executive office in the free world, I take against Facebook, can I withdraw consent for my data to be used to inform artificial intelligences that Facebook can go on to use for profit and for whatever ethical use they see fit? No, I cannot.
What if, say, Google DeepMind got hold of NHS data and its algorithms were used with bias? What if Google gets away with breaking data protection as part of its innovation and maybe starts its own ethics group, marking its own ethics homework? Where is my consent and where do I get a share of the revenue generated by Google selling the intelligence derived in part from my data? And if it sells that AI to a health company which sells a resulting product back to the NHS, how do I ensure that the patients are advantaged because their data was at the source of the product?
No consent regime can anticipate future use or the generation of intelligent products by aggregating my data with that of others. The new reality is that consent in its current form is dead. Users can no ​longer reasonably comprehend the risk associated with data sharing, and so cannot reasonably be asked to give consent.
Thanks to AI, in the future we will also have to resolve the paradox of consent. If AI determines that you have heart disease by facial recognition or by reading your pulse, it starts to make inference outside the context of consent. The AI knows something about you, but how can you give consent for it to tell you when you do not know what it knows? Here, we will probably need to find an intermediary to represent the interests of the individual, not the state or wider society. If the AI determines that you are in love with someone based on text messages, does the AI have the right to tell you or your partner? What if the AI is linked to your virtual assistant—to Siri or Google Now—and your partner asks Siri whether you are in love with someone else? What is the consent regime around that? Clause 13, which deals with a “significant decision”, may help with that, but machine learning means that some of these technologies are effectively a black box where the creators themselves do not even know the potential outcomes.
Could the Minister tell me how the right to be forgotten works with the blockchain? These decentralised encrypted trust networks are attractive to those who do not trust big databases for privacy reasons. By design, data is stored in a billion different tokens and synced across countless devices. That data is immutable. Blockchain is heavily used in fintech, and London is a centre for fintech. But the erasure of blockchain data is impossible. How does that work in this Bill?
There is more to be said about portability, law enforcement and the intelligence services, but thinking about this Bill makes my head hurt. Let me close on a final thought. The use of data to fuel our economy is critical. The technology and artificial intelligence it generates has a huge power to enhance us as humans and to do good. That is the utopia we must pursue. Doing nothing heralds a dystopian outcome, but the pace of change is too fast for us legislators, and too complex for most of us to fathom. We therefore need to devise a catch-all for automated or intelligent decisioning by future data systems. Ethical and moral clauses could and should, I argue, be forced into terms ​of use and privacy policies. That is the only feasible way to ensure that the intelligence resulting from the use of one’s data is not subsequently used against us as individuals or society as a whole. This needs urgent consideration by the Minister.
If being GDPR compliant requires a hard age limit, how do we intend to verify the age of the child in any meaningful way without, perversely, collecting more data from children than we do from adults? Given that the age of consent is to vary from country to country—16 in the Netherlands, Germany and Hungary; 14 in Austria—data controllers will also need to know the location of a child so that the right rules can be applied. Arguably, that creates more risk for children, but definitely it will create more data.
In all of this we must acknowledge a child’s right to access the digital world knowledgeably, creatively and fearlessly. Excluding children is not the answer, but providing a digital environment fit for them to flourish in must be. There is not enough in this Bill to fundamentally realign young people’s relationship with tech companies when it comes to their data.
I very much agreed with those who said that the regulation must certainly apply to the big boys in the computer and ​digital world. I shuddered when the noble Baroness, Lady Lane-Fox, quoted from that wholly incomprehensible Brussels jargon from the regulations.
I received last week a letter as chair of Marlesford Parish Council. We have seven members and only 230 people live in Marlesford. Our precept is only £1,000 a year. A letter from the National Association of Local Councils warned me that the GDPR will impose,
“a legal obligation to appoint a Digital Protection Officer … this appointment may not be as straightforward as you may be assuming, as while it may be possible to appoint an existing member of staff”—
we have no staff, just a part-time parish clerk who is basically a volunteer. It continues:
“They must by requirement of regulations possess ‘expert knowledge of data protection law and practices’”.
I am afraid that will not be found in most small villages in the country, so I hope that one result of this Bill will be to introduce an element of proportionality in how it is to apply, otherwise the noble Baroness, Lady Lane-Fox, who was so right to draw our attention to the threat of incomprehensibility, will be right and we will all lose the plot.
Despite acknowledging that the Bill fleshes out the regulation to make it member-state applicable, like the noble Lord, Lord Stevenson, I worry about a Bill of 218 pages and an explanatory note of 112 pages, plus a departmental pack of 247 pages to deal with it all. That all adds to the complexity. I admit that the GDPR conceals its highly challenging requirements in wording of beguiling simplicity under the flag of private rights, but it is no wonder that the European Parliament did not want its handiwork contextualised by inclusion in what we have before us. It is not a particularly encouraging start to bringing 40 years of EU legislation into domestic law.
In what I felt was an inspirational contribution, the noble Baroness, Lady Lane-Fox—I am sorry she is not in her place—referred to the tortuous use of language in parts of the Bill. I agree with her—parts of it are gobbledygook that deny transparency to ordinary mortals.
I shall touch on three concerns. According to the Federation of Small Businesses, the measures represent a significant step up in the scope of data protection obligations. High-risk undertakings could phase additional costs of £75,000 a year from the GDPR. The MoJ did an impact assessment in 2012, which is no doubt an underestimate, since it did not take account of the changes made by the European Parliament, which estimated the cost at £260 million in 2018-19 and £310 million by 2025-26. I am not even sure if that covers charities or public organisations or others who have expressed concerns to me about the costs and the duties imposed. Then there are the costs of the various provisions in the Bill, many levelling up data protection measures outside the scope of the GDPR. It is less confusing, I accept, but also more costly to all concerned.
The truth is that overregulation is a plague that hits productivity. Small businesses are suffering already from a combination of measures that are justified individually—pension auto-enrolment, business rates and the living wage—but together can threaten viability at a time of Brexit uncertainty. We must do all we can to come to an honest estimate of the costs and minimise the burden of the new measures in this legislation.
Also, I know that CACI, one of our leading market analysis companies working for top brands such as John Lewis and Vodafone, thinks that the provisions in the Bill are needlessly gold-plated. Imperial College has contacted me about the criminalisation of the re-identification of anonymised data, which it thinks will needlessly make more difficult the vital security work that it and others do.
The noble Lord, Lord Patel, and the noble Baroness, Lady Manningham-Buller, were concerned about being able to contact people at risk where scientific advance ​made new treatments available—a provision that surely should be covered by the research exemption.
The second issue is complication. It is a long and complicated Bill. We need good guidance for business on its duties—old and new, GDPR and Data Protection Bill—in a simple new form and made available in the best modern way: online. I suggest that—unlike the current ICO site—it should be written by a journalist who is an expert in social media. The Minister might also consider the merits of online training and testing in the new rules. I should probably declare an interest: we used it in 2011 at Tesco for the Bribery Act and at the IPO for a simple explanation of compliance with intellectual property legislation.
The third issue is scrutiny. I am afraid that, as is usual with modern legislation, there are wide enabling powers in the Bill that will allow much burdensome and contentious subordinate detail to be introduced without much scrutiny. The British Medical Association is very concerned about this in relation to patient confidentiality. Clause 15, according to the excellent Library Note, would allow the amendment or repeal of derogations in the Bill by an affirmative resolution SI, thereby shifting control over the legal basis for processing personal data from Parliament to the Executive. Since the overall approach to the Bill is consensual, this is the moment to take a stand on the issue of powers and take time to provide for better scrutiny and to limit the delegated powers in the Bill. Such a model could be useful elsewhere—not least in the Brexit process.
I will make a few rather sceptical remarks about the long-term viability of data protection approaches to protecting privacy. They have, of course, worked, or people have made great efforts to make them work, but I think the context in which they worked, at least up to a point, has become more difficult and they are less likely to work. The definition of personal data used in data protection approaches, and retained here, is data relating to a living individual who is identified, or can be identified, from the data. It is that modal idea of who can be identified that has caused persistent problems. Twenty years ago it was pretty reasonable to assume that identification could be prevented provided one could prevent either inadvertent or malicious disclosure, so the focus was on wrongful disclosure. However, today identification is much more often by inference and it is very difficult to see how inference is to be regulated.
The first time each of us read a detective story, he or she enjoyed the business of looking at the clues and suddenly realising, “Ah, I know whodunnit”. That inference is the way in which persons can be identified from data and, let us admit it, not merely from data that are within the control of some data controller. Data protection is after all in the end a system for regulating data controllers, combined with a requirement that institutions of a certain size have a data controller, so there is a lot that is outside it. However, if we are to protect privacy, there is, of course, reason to think about what is not within the control of any data controller. Today, vast amounts of data are outwith the control of any data controller: they are open data. Open data, as has been shown—a proof of concept from several years ago—can be fully anonymised and yet a process of inference can lead to ​the identification of persons. This is something we will have to consider in the future in thinking about privacy.
Moreover, throughout the period of data protection, one of the central requirements for the acceptable use of otherwise personal data has been that consent should be sought, yet the concepts of consent used in this area are deeply divisive and various. In commercial contexts, consent requirements are usually interpreted in fairly trivial ways. When we all download new software, we are asked to accept terms and conditions. This is called an end-user licence agreement. You tick and you click and you have consented to 45 pages of quite complicated prose that you did not bother to read and probably would not have understood if you had maintained attention for 45 pages. It does not much matter, because we have rather good consumer protection legislation, but there is this fiction of consent. However, at the other end of the spectrum, and in particular in a medical context, we have quite serious concepts of consent. For example, to name one medical document, the Helsinki Declaration of the World Medical Association contains the delicious thought that the researcher must ensure that the research participant has understood—then there is a whole list of things they have to understand, which includes the financial arrangements for the research. This is a fiction of consent of a completely different sort.
We should be aware that, deep down in this legislation, there is no level playing field at all. There are sectoral regimes with entirely different understandings of consent. We have, in effect, a plurality of regimes for privacy protection. Could we do otherwise or do better? Legislation that built on the principle of confidentiality, which is a principle that relates to the transfer of data from one party to another, might be more effective in the long run. It would of course have to be a revised account of confidentiality that was not tied to particular conceptions of professional or commercial confidentiality. We have to go ahead with this legislation now, but it may not be where we can stay for the long run.
This has been an interesting, and for me at times a rather confusing, debate on the issues associated with the Bill. The Bill is complex, but I understand that it is necessarily complex. For example, under European law it is not allowed to reproduce the GDPR in domestic legislation. The incorporation of the GDPR into British law is happening under the repeal Bill, not under this legislation. Therefore, the elephant and the prints are in the other place rather than here.
We on these Benches welcome the Bill. It provides the technical underpinnings that will allow the GDPR to operate in the UK both before and after Brexit, together with the permitted derogations from the GDPR available to all EU member states. For that reason it is an enabling piece of legislation, together with the GDPR, which is absolutely necessary to allow the UK to continue to exchange data, whether it is done by businesses for commercial purposes or by law enforcement or for other reasons, once we are considered to be a third-party nation rather than a member of the European Union.​
The enforcement regime, the Information Commissioner, is covered in Part 5, because we will repeal the Data Protection Act 1998 and so we need to restate the role of the Information Commissioner as the person who will enforce, and we will need to explore concerns that we have in each part of the Bill as we go through Committee. However, generally speaking, we welcome the Bill and its provisions.
Of course, what the Government, very sensibly, are trying to do but do not want to admit, is to ensure that the UK complies with EU laws and regulations—in this case in relation to data protection—so that it can continue to exchange data with the EU both before and after Brexit. All this government hype about no longer being subject to EU law after Brexit is merely the difference between having to be subject to EU law because we are a member of the EU and having to be subject to EU law because, if we do not, we will not be able to trade freely with the EU or exchange crime prevention and detection intelligence, and counterterrorism intelligence, with the EU. That is the only difference.
For most aspects of data exchange, compliance with the GDPR is required. The GDPR is directly applicable, so it cannot simply be transposed into this Bill. Coupled with the derogations and applying the GDPR to other aspects of data processing not covered by the GDPR makes this part of the Bill complex—and, as I suggest, probably necessarily so.
As my noble friend Lady Ludford also mentioned, along with the noble Baroness, Lady Jay of Paddington, various provisions to allow Ministers to alter the application of the GDPR by regulation is something that we need much further scrutiny of, albeit that Ministers’ hands are likely to be tied by the requirement to comply with changing EU law after Brexit—de facto even if not de jure. Could it be—perhaps the Minister can help us here—that the purpose of these powers, put into secondary legislation, is to enable the UK to keep pace with changes in EU law after Brexit?
As other noble Lords have said, we have concerns about the creation of a criminal offence of re-identification of individuals. As the noble Lord, Lord Arbuthnot of Edrom, said, criminalising re-identification could allow businesses to relax the methods that they use to try to anonymise data on the basis that people will not try to re-identify individuals because it is a criminal offence.
Despite what is contained in this Bill, we have serious concerns that there are likely to be delays to being granted data adequacy status by the European Commission when we leave the EU. That means that there would not be a seamless continuation of data exchange with the EU 27 after Brexit. We also have serious concerns, as does the Information Commissioner, that there are likely to be objections to being granted data adequacy status because of the bulk collection of data allowed for under the Investigatory Powers Act, as the noble Lord, Lord Stevenson of Balmacara, said in his opening remarks.
As the noble Baroness, Lady Lane-Fox, mentioned, it is essential that the Information Commissioner is provided with adequate resources. My understanding ​is that there has been a considerable loss of staff in recent times, not least because commercial organisations want to recruit knowledgeable staff to help them with the implementation of GDPR, plus the 1% cap on public sector pay has diminished the number of people working for the Information Commissioner. It is absolutely essential that she has the resources she needs, bearing in mind the additional responsibilities that will be placed upon her.
A number of noble Lords, including the noble Lord, Lord Kennedy, the noble Baroness, Lady Lane-Fox, and my noble friend Lady Neville-Rolfe, asked whether the Bill was too complex. It was suggested that data controllers would struggle to understand the obligations placed on them and data subjects to understand and access their rights. As the noble Lord, Lord Paddick, said, the Bill is necessarily so, because it provides a complete data protection framework for all personal data. Most data controllers will need to understand only the scheme for general data, allowing them to focus just on Part 2. As now, the Information Commissioner will continue to provide guidance tailored to data controllers and data subjects to help them understand the obligations placed on them and exercise their rights respectively. Indeed, she has already published a number of relevant guidance documents, including—the noble Lord, Lord Kennedy, will be interested to know this—a guide called Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now. It sounds like my type of publication.
Other noble Lords rightly questioned what they saw as unnecessary costs on businesses. My noble friends Lord Arbuthnot and Lady Neville-Rolfe and the noble Lord, Lord Kennedy, expressed concern that the Bill would impose a new layer of unnecessary regulation on businesses—for example, in requiring them to respond to subject access requests. Businesses are currently required to adhere to the Data Protection Act, which makes similar provision. The step up to the new standards should not be a disproportionate burden. Indeed, embracing good cybersecurity and data protection practices will help businesses to win new customers both in the UK and abroad.
A number of noble Lords, including the noble Lord, Lord Jay, asked how the Government would ensure that businesses and criminal justice agencies could continue, uninterrupted, to share data with other member states following the UK’s exit from the EU. The Government published a “future partnership” paper on data protection in August setting out the UK’s position on how to ensure the continued protection and exchange of personal data between the UK and the EU. That drew on the recommendations of the very helpful and timely report of the European Union Committee, to which the noble Lord referred. For example, as set out in the position paper, the Government ​believe that it would be in our shared interest to agree early to recognise each other’s data protection frameworks as the basis for continued flow of data between the EU and the UK from the point of exit until such time as new and more permanent arrangements came into force. While the final arrangements governing data flows are a matter for the negotiations—I regret that I cannot give a fuller update at this time—I hope that the paper goes some way towards assuring noble Lords of the importance that the Government attach to this issue.
Several noble Lords, including the noble Lord, Lord Paddick, in welcoming the Bill asked whether the Information Commissioner would have the resource she needs to help businesses and others prepare for the GDPR and LED and to ensure that the new legislation is properly enforced, especially once compulsory notification has ended. The Government are committed to ensuring that the Information Commissioner is adequately resourced to fulfil both her current functions under the Data Protection Act 1998 and her new ones. Noble Lords will note that the Bill replicates relevant provisions of the Digital Economy Act 2017, which ensures that the Information Commissioner’s functions in relation to data protection continue to be funded through charges on data controllers. An initial proposal on what those changes might look like is currently being consulted upon. The resulting regulations will rightly be subject to parliamentary scrutiny in due course.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Paddick, I think it was, asked about the Government choosing not to exercise the derogation in article 80 of the GDPR to allow not-for-profit organisations to take action on behalf of data subjects without their consent. This is a very important point. It is important to note that not-for-profit organisations will be able to take action on behalf of data subjects where the individuals concerned have mandated them to do so. This is an important new right for data subjects and should not be underestimated.
The noble Baroness, Lady Manningham-Buller, the noble Lords, Lord Kennedy and Lord Patel, and my noble friend Lady Neville-Jones all expressed concern about the effect that safeguards provided in the Bill might have on certain types of long-term medical research, such as clinical trials and interventional research. My noble friend pointed out that such research can lead to measures or decisions being taken about individuals but it might not be possible to seek their consent in every case. The noble Lord, Lord Patel, raised a number of related issues, including the extent of Clause 7. I assure noble Lords that the Government recognise the importance of these issues. I would be very happy to meet noble Lords and noble Baronesses to discuss them further.
My noble friend Lord Arbuthnot and others questioned the breadth of delegated powers provided for in Clause 15, which allows the Secretary of State to use regulations to permit organisations to process personal data in a wider range of circumstances where needed to comply with a legal obligation, to perform a task in the public interest or in the exercise of official authority. Given how quickly technology evolves and the use of data can change, there may be occasions when it is necessary to act relatively quickly to provide organisations with a legal basis for a particular processing operation. The Government believe that the use of regulations, rightly subject to the affirmative procedure, is entirely appropriate to achieve that. But we will of course consider very carefully any recommendations made on this or any other regulation-making power in the Bill by the Delegated Powers and Regulatory Reform Committee, and I look forward to seeing its report in due course.
I look forward to exploring all the issues that we have discussed as we move to the next stage. As the Information Commissioner said in her briefing paper, it is vital that the Bill reaches the statute book, and I look forward to working with noble Lords to achieve ​that as expeditiously as possible. Noble Lords will rightly want to probe the detailed provisions in the Bill and subject them to proper scrutiny, as noble Lords always do, but I am pleased that we can approach this task on the basis of a shared vision; namely, that of a world-leading Data Protection Bill that is good for business, good for the law enforcement community and good for the citizen. I commend the Bill to the House.


Bill read a second time and committed to a Committee of the Whole House.