House of Lords
Tuesday 10 October 2017
Prayers—read by the Lord Bishop of Chelmsford.
Hurricane Irma: Disaster Relief
To ask Her Majesty’s Government whether they intend to undertake an urgent review of the anticipation, preparation, speed of response and chain of command for the United Kingdom’s disaster relief operations in the Caribbean, in the light of the United Kingdom’s response to Hurricane Irma; and if so, whether they will publish the results and any recommendations for change.
My Lords, I beg leave to ask the Question standing in my name on the Order Paper. In doing so, I declare an interest in that I have family living in the Caymans.
My Lords, we are conducting an internal review to identify the lessons learned from the Government’s response to Hurricane Irma, as indeed we do in response to all crisis situations. These findings will of course be incorporated into future crisis responses. The timing of this review will be considered alongside the ongoing recovery efforts in the Caribbean, including the overseas territories. Meanwhile, the Foreign and Commonwealth Office will continue to co-ordinate a cross-government response to any new crisis which may arise.
The Minister’s Answer is very welcome, but in this review will he go back to the review after the tsunami in 2005, when it was clearly stated that the most vital part was for help to arrive in the first 24 hours, or, if that is not absolutely possible, in the first 36 hours? Against that background, will he make sure that the review looks at the date at which the FCO crisis committee met, on 5 September, and say why it did not meet in the previous week? Will that review look at the situation regarding the movement of aircraft from Brize Norton and say why they did not get into the air immediately after the hurricane had left the British Virgin Islands, instead going two days later? Finally, will the review look at why HMS “Ocean” was not moved at least a week earlier to somewhere nearer this side of the Atlantic rather than the middle of the Mediterranean, even though, sadly, it broke down en route in any case?
My noble friend raises a series of questions; in the interest of allowing more questions to be asked, I will write to him specifically to answer them. However, I will pick up on one or two of his points. The UK Government responded within 24 hours. My noble friend may well be aware that RFA “Mounts Bay” arrived within 24 hours of the storm’s impact and restored power supplies at Anguilla’s hospital, rebuilt the emergency operations centres and, importantly, cleared the runway to allow planes that were waiting to arrive at the airports to come in. It then followed on and delivered a similar response to BVI. However, I will respond to the issues my noble friend raised in his other questions.
My Lords, the aid budget is 37% of the defence budget, and the defence budget is under immense pressure. Does the Minister not think that the fantastic work being done by HMS “Ocean” and RFA “Mounts Bay” out in the West Indies should be covered by the aid budget, because, quite clearly, that describes what they are doing?
The noble Lord raises an important question, and it is necessary to put it in the context of the international rules to which we subscribe. As he may be aware, my right honourable friend the International Development Secretary has directly responded to the issue. She has raised it with the OECD and we are also raising the eligibility of ODA spending on the overseas territories and other countries to ensure that, when such crises hit, we are able to make funding available. That said, as the noble Lord may also be aware, we have already allocated £62 million to the aid effort. More is being done, and an additional £5 million was pledged to Dominica, which was recently hit by a hurricane.
My Lords, Hurricane Irma was tracked from the end of August and it hit the first of our overseas territories overnight from 5 to 6 September, but the first COBRA meeting was not until the 7th. Might the review conclude that the Government are distracted by something?
Perhaps the noble Baroness should have enlightened us on what she was alluding to in her question. The short answer is that the Government acted promptly. I have already alluded to the fact that RFA “Mounts Bay” responded. I think that we should take a step back and acknowledge the incredible efforts of our military, the FCO and DfID, as well as neighbouring states, including the assistance given by places such as the Cayman Islands, in responding to the tragedy which hit three of our territories and other regions of the Caribbean.
My Lords, I welcome the information that the Minister has given, and I certainly welcomed the information given by the noble Lord, Lord Bates, in briefing Members of this House. However, one thing that concerned me was the unsightly debate at the Conservative Party conference about where the money should come from. We have a responsibility to our overseas territories, whether they are in need of ODA support or not. It should not be a question of taking money out of Africa to put it into where our responsibilities should lie, and I hope that the noble Lord will reassure us on that.
The noble Lord makes a very valid point about the commitment that the Government made to spending 0.7% of GDI—indeed, it was voted for in this Chamber—and that remains the position. I assure him that, in reviewing any spend, we will continue to prioritise the countries that need development assistance—for example, in the important area of education for girls. I repeat that that will continue to be reflected as a priority. However, at the same time I am sure that we all readily acknowledge the tragedy that has hit the overseas territories. I can tell noble Lords that I was not able to accompany my noble friend Lord Bates to that briefing because I went out to the Turks and Caicos Islands. Seeing the devastation first hand, as I did in Grand Turk, really puts the situation clearly into perspective.
My Lords, what is the very latest date that this review will be published? It will obviously be very important for future disasters such as this. I declare my interest in the Caribbean as according to the register.
I can tell the noble Lord that there is no specific date at this juncture because much of the information is still being collated. We are working very closely with the Governments of the overseas territories on their exact needs. Personnel from DfID, including a team led by a senior DfID official, are collating the current requirements of our overseas territories. I can also share with the noble Lord and the whole House that my right honourable friend the Prime Minister has convened a senior meeting, chaired by my right honourable friend the Foreign Secretary, to bring together all parts of government to ensure a full HMG response to this issue. When I have the final date for the review, I shall of course share it with the noble Lord and others in the Chamber.
Immigration: International Students
To ask Her Majesty’s Government, in the light of the Office for National Statistics’ Exit Check data released in August, whether they will consider the removal of international students from the net migration figures.
My Lords, I beg leave to ask the Question standing in my name on the Order Paper. In doing so, I refer to my interests in the register.
My Lords, the recent publication of exit checks data shows that our reforms since 2010 to tackle abuse in the education sector have worked. Net migration statistics are produced by the independent Office for National Statistics. There is no limit on the number of international students who can come to the UK. As long as students are compliant with Immigration Rules, they should make a very limited contribution to net migration numbers.
My Lords, since 2010, the number of international students coming to the UK has fallen by 6%, while the global market has increased by 7%, with an estimated cost to the UK economy of £9 billion. Does my noble friend agree that this summer’s statistics clearly evidence that there is no material issue with international students overstaying their visas, as 97.4% stayed within those terms? Does she also agree that we need to get out the message, through the FCO, the British Council and all channels and good offices: “Students of the world, you are so welcome here—come study in the UK and be part of our future”?
I agree totally with the points that my noble friend makes. It is very pleasing to see that students are in a very compliant environment. To the year ending June 2017, there was a 9% increase in Russell group universities, and a 17% increase in all student visas granted for Chinese nationals. To bring up a point made in a previous Question, I mention that the proportion of Indian students coming to study in the UK at a higher education institute has increased from around 50% in 2010 to around 93% in the year ending June 2017.
My Lords, does the Minister recognise that citation of selective statistics is not terribly convincing—the Indian figure, for instance, being 50% down over recent years? She sits on the Government Bench, which continually tells us that we have to respect votes. Does she therefore recognise that it might be better if her reply respected the vote of this House by a majority of 94 that students should not be considered as economic migrants, which they are not? Will the Government’s White Paper on immigration, due in a few weeks, cover that issue?
I appreciate that within statistics we can say all sorts of things. However, it is not a myth about the Indian students. People who come here and use services and infrastructure for more than a year are counted as migrants.
My Lords, at present, the number of international students is clearly more than 100,000. If the Government persist in their commitment to keep immigration under the tens of thousands, does that mean that there is no scope for increasing the number of international students, for which there appears to be cross-party support as it would benefit the UK economy? I refer to my interests as recorded.
There are well over 100,000 students. In the 2015-16 academic year, 438,000 students enrolled—almost half a million—and visa applications sponsored by universities are 19% higher than they were in 2010. There is no limit on the number of international students who come to this country, and we welcome them all.
My Lords, what special characteristics do students have that mean that they do not use public services or public transport and do not need accommodation?
My noble friend points out precisely why they are included in the migration statistics.
Are not the figures the Minister gives for the Russell group distorted by the fact that some of those universities have a special visa system?
There has been a tier 4 visa pilot—that is possibly what the noble Lord is referring to—and we will evaluate its effectiveness. However, he actually makes a case for the fact that we welcome international students here.
I jump back to the point made by the noble Earl, Lord Attlee: if we applied that logic, surely we would start to treat tourists as immigrants.
A tourist should come here for a specified length of time, which is not usually a year and is generally under three months. When that stay becomes a year, that person becomes somebody who avails themselves of the infrastructure and public services of this country.
My Lords, does the Minister not agree that the students in the figures that she cited would have registered before there was any thought of Brexit and so forth? As someone who spent several years at the London School of Economics, I am very aware of the bond of respect and loyalty to the country where people study and live for sometimes four or five years; it is very well known. The benefits to that country whether in trade, political co-operation or security matters are immense. Can the Minister not say that students should be considered quite separately from other immigrants who come to this country?
I am afraid that I cannot say that. But my parents were immigrants to this country. They went to university in another country but certainly made this country their home. I agree that the bond that the student has with the country where they study often means that they stay here to work and contribute hugely to the economy of this country. In fact, the MAC is conducting a study on the effect of student migration and will report soon.
Cannot my noble friend accept that there is an overwhelming view in this House that it would be sensible and entirely prudent to treat students separately, particularly at this juncture in our national affairs?
I am neither deaf nor blind to the views of noble Lords on student migration.
I hesitate to intervene in the sense that, frankly, I could not do a more effective demolition job on the Government’s policy than the noble Lord, Lord Holmes of Richmond, did. But I still do not think that we have heard from the Minister why the Government apparently see the overriding need to keep international students in the net migration figures, bearing in mind that the evidence shows that their removal would not make any significant difference to those figures. Is she able to explain to us why the Government are not prepared to stand up now and say that they are about to change their policy? From the response that she gave, which appeared to be a glowing one on the number of students coming into the country, can I take it that the universities are still quite happy that international students are retained within the net migration figures?
What the noble Lord said about high compliance lends credence to the fact that our reforms are working in this area. We wish to continue to attract international students to study in the UK and we absolutely recognise the cultural and financial contribution that they make to this country. That is why we have commissioned the study that I referred the noble Baroness to, and why we do not limit the number of genuine international students who come here to study and from whom UK businesses can recruit.
Stalking and Domestic Abuse
To ask Her Majesty’s Government whether they intend to introduce a register of serial stalkers, including perpetrators of domestic abuse.
My Lords, the Government are fully committed to tackling domestic abuse and stalking and are doing all that we can to protect victims and robustly target perpetrators. Domestic abuse and stalking perpetrators can already be captured on the dangerous persons database and managed by police and probation under multiagency public protection arrangements, or MAPPA. The domestic violence disclosure scheme has also been rolled out nationally to inform and alert new partners about a perpetrator’s previous offending.
My Lords, I am grateful for that Answer and I know the Government are doing what they can. Does the Minister agree that lives would be saved if serial stalking perpetrators were indeed managed in exactly the same way as sex offenders by including them on ViSOR and MAPPA? I also ask her to assure me that the forthcoming consultation on the DV Bill will include something on this register, as promised by the Minister to my colleagues Laura Richards and Zoe Dronfield from Paladin at a meeting held several weeks ago.
Perhaps I may first pay tribute to the noble Baroness for all that she does with Paladin. I really valued being able to go to the Paladin evening, although we only just crossed paths because the noble Baroness was delayed. We are certainly working across Government to develop measures that are both legislative and non-legislative to ensure that we are able to do all we can to protect and support victims, and to bring the perpetrators of stalking and domestic violence to justice. Later this year we will consult voluntary sector partners, experts and parliamentarians on the proposals and we will bring forward a Bill following that consultation. I look forward to the submission by both the noble Baroness and by Paladin, whose representatives I know have had a meeting at the Home Office as well.
In the light of that answer, would the Government consider putting the register to which the noble Baroness has alluded into the much-anticipated domestic abuse Bill? When is that Bill likely to be published, so that offenders can be punished?
We have signalled our intention to bring forward a Bill in this Session. On the register, of course, we have the domestic violence disclosure scheme, which is also known as Clare’s law. It provides a way of disclosing information about a partner’s previous convictions in this area. Also, perpetrators can be put on the ViSOR register for violent and sex offenders. It is important in this space to ensure that we have a register that is simple to use for those who need to use it, and not to over-complicate things by issuing too many registers, with cases potentially falling between the cracks. However, I will be very happy to work with noble Lords on this as we progress towards the Bill.
My Lords, does the noble Baroness agree that cultural change is urgently needed to ensure that the serial perpetrators, rather than the victims, are placed at the centre of investigations and risk management plans? Paladin’s evidence and research show that this is not happening and that women are paying for that with their lives. What actions are the Government taking to ensure that such a cultural change takes place?
The noble Baroness is absolutely right to make the point that cultural change is essential in this area. Often, it is the women who are fleeing their homes and running away from often quite violent and wicked men. I pay tribute to the various groups such as SafeLives, which are providing perpetrator programmes to ensure that women actually remain safe in their homes and, where possible, men can be rehabilitated. I do talk about women and men here because women are most likely to be the victims of these offences.
Perhaps I may also talk about the police’s approach to vulnerability, which was brought up in a previous Question about training. We have awarded nearly £2 million to the College of Policing to transform the police’s approach. This will include a much-enhanced programme of training. I referred earlier to getting the voluntary sector to engage, as well, which would be all to the good since cultural change is sought across all agencies. Unfortunately, we are quite new to this process, although we have been trying to tackle this issue for decades. The noble Baroness has raised a very valid point.
My Lords, as the thinking develops about a register, will the Minister consider having a section devoted to highlighting families with vulnerable young children, who are also the victims of abuse?
I am glad to be able to answer the noble Lord’s question. Of course, we have a register, but one of the things we are looking to acknowledge is that a child who experiences or witnesses just one episode of domestic abuse can be scarred for life. That should be reflected in sentencing. Hopefully, I will be leading on the Bill and I look forward in particular to discussing measures in that area with noble Lords.
National Health Service
To ask Her Majesty's Government what assessment they have made of remarks by the Chief Inspector of Hospitals that the NHS is not fit for the 21st century.
My Lords, the Government agree with Professor Baker’s statement that,
“we need a model of care that is fit for the 21st century and the population as it is now”.
That is why we are backing the NHS’s own plans for transformation with an extra £8 billion a year in real terms by 2020-21 and an extra £2 billion over the next three years for social care.
I thank the Minister for his reply. Does he also agree with Professor Ted Baker’s statement:
“The model of care we have got is still the model we had in the 1960s”,
and that this “needs to change”? Can the Minister say how many of the new models of care are up and running and how many of the sustainability and transformation plans are in special measures? On World Mental Health Day, will he look into how many clinical commissioning groups are failing to commission good and timely mental health care, especially for young people?
The noble Baroness asked a few questions that I will try to deal with. First, on new models of care and STPs: STPs are now being ranked in order to see their fitness for moving forward. The Chancellor announced in the Budget that we will invest £325 million initially, with more funding in the future to support the transformation that we all want to see. The noble Baroness is right to point out that our care model is still based around hospitals and curing infectious diseases, rather than dealing with chronic illnesses and comorbidities. That needs to change.
I echo, as the noble Baroness would, the Care Quality Commission’s report, which talked about staff dedication—nowhere is that more true than in mental health, where staff often deal with very difficult circumstances. It is important to talk about that on World Mental Health Day. She may be interested to know that the Cabinet was briefed today by mental health experts about training programmes going into schools, and so on. There is a lot of work going on, but these are the NHS’s own plans for change, which this Government are backing.
I speak as Professor of Surgery at UCL and chairman of UCL Partners. It is widely accepted that innovation is essential to ensure NHS sustainability. Are Her Majesty’s Government satisfied that there is sufficient emphasis on and support for NHS England in driving types of innovation, such as therapeutic innovation—both in models of care and working practices—that will achieve long-term sustainability?
The noble Lord makes an excellent point. It is true to say that in this country we are very good at creativity and innovation but not always very good at spreading it round. In a way, that is one of the biggest challenges the NHS faces. I would merely highlight a couple of areas where the NHS is working well. The first is the test beds programme, which is working with industry, taking new innovations and spreading them round. Secondly, we have committed to publishing our response to the accelerated access review by the end of the month on how to make sure the most transformative drugs, devices and therapies are taken up throughout the system.
My Lords, can I ask the Minister about the sustainability and transformation programmes? Has he seen the report issued by the King’s Fund last week that said we have fewer acute beds in this country than almost any comparable country? It also pointed out that the plan of many STPs is to reduce acute care numbers even further. I fully accept that we could use our beds and discharge patients more effectively, but the King’s Fund warns that STP plans to further cut acute beds are unsustainable. Will the Government consider that?
Simon Stevens, the head of the NHS, made an important point several months ago about reconfigurations. Any reconfiguration has to meet four criteria: clinical need, popular support and so on. He added a fifth, which was about taking out beds. Those STPs are judged on their ability to meet the changing needs of their population. If there are proposals to take out beds which mean that those needs will not be met, such reconfigurations will not be accepted.
Does the Minister agree that the major problem in the NHS today is the enormous increase in demand? It is not old people getting older; it is not young people being couch potatoes, because inactivity does not cause obesity. The obesity epidemic is what is wrecking the NHS.
The NHS is seeing more people than ever—I think that some 1,500 more people a day are being seen in A&E. A lot more people are going through the service. The truth is that there are a number of factors: there are factors around lifestyle and around ageing. The point is that we have to change. At the heart of this Question is the comment made by the chief inspector about our not having new models of care. We need to change the way in which we provide care. That means integrated care, with much more of it based in the community. That means us all taking difficult political decisions about how care is configured so that it meets changing needs related to obesity and ageing.
My Lords, a major problem facing the NHS is the drastic shortage of nurses. As the Government have changed the funding of nurse training at universities and as those universities now have their students in place, can the Minister give us any figures on the number of nurses in training in this current year?
I know that the noble Lord has been concerned about this issue. I hope that he heard my right honourable friend the Secretary of State announce last week not only an increase in the number of nursing associate places, where qualification is through an apprenticeship route, but a 25% increase in the number of degree training places and funding for the clinical placements that they involve.
Can the Minister say whether he found helpful the House of Lords Select Committee report on the long-term sustainability of the NHS and social care?
The noble Lord knows that I found it extremely helpful. It has pride of place on the coffee table in my office, and we will of course respond to it in due course.
Adult Social Care in England
Private Notice Question
To ask Her Majesty’s Government how they plan to respond to today’s Care Quality Commission report on the state of Adult Social Care in England in which it states that “some 1.2 million people are not receiving the help they need, an increase of 18% on last year”.
My Lords, I beg leave to ask a Question of which I have given private notice.
My Lords, the Government are committed to improving the quality and availability of adult social care in England. That is why we passed the Care Act in 2014 to provide for the first time a national eligibility threshold for care. It is why we are investing £2 billion more in social care provision over the next three years and have plans to reform how care is funded for the long term.
My Lords, the situation in social care is deteriorating and the Government’s strategy to handle the challenge is inadequate. The situation is getting worse because of the fundamental change in the demographic of this country. Some 15,000 people are now 100 years old, and the size of that cohort is increasing. Surgeries are closing, hospitals are inadequate, and 1.2 million people are unpaid carers and themselves over the age of 65. This calls for a radical, fundamental response, rather than the usual Green Paper and sums of money. That is not enough. This country faces a crisis of demographic change.
I agree in part with what the noble Baroness said in the sense that demographic change represents a big challenge. She mentioned the over-100s. The population of over-85s will double between now and 2037. As the CQC report makes clear, many of those people will have difficulty with the basic behaviours and actions they need to be able to live independently. That is the big challenge that we face. The report provides a very honest exposure of strengths and weaknesses in the current system. The strengths are there, though the noble Baroness perhaps did not give them as much credit as they deserve. The report says:
“Overall, the quality of care remains relatively stable, with the majority of all care rated as good and improvements in some services”.
Indeed, only 1% of services are rated inadequate. Clearly we want that percentage to be zero but it is better than in other sectors. I do not disagree with the noble Baroness about the demographic challenges we face. As I said in my first Answer, we are trying to put more funding in, to recruit more staff and raise quality now that we have this national threshold. We hope to decrease variation and then look for a long-term solution that will solve this problem that we have all been wandering around for the last 20 years.
My Lords, as a care provider for the last 17 years I say humbly to my noble friend that we need to pay care staff a proper wage so that they can actually have a life that is not just about existing. I am told constantly that local councils are being given extra funding. It is not trickling down to the providers and there needs to be a really serious look at the level of funding and at what we are entitled to pay care staff, because with Brexit around the corner we are going to need ever more of our own homegrown talent to provide those places.
The noble Baroness speaks from experience here. On the point about paying care staff, one of the greatest beneficiaries from the new national living wage are and will be care staff. That will increase over time and is one of the reasons why increased funding needs to go into the system. She also talks about the interface with local authorities. She will know that it is a very fluid market, with providers registering and deregistering all the time. We are trying to make sure that there is a proper review of the quality of the interface between local authorities and the National Health Service. Some do it very well, with very few delayed transfers, while others have huge problems. We get people in beds who should be in a care setting, either in a nursing home, in community care or at home. Those reviews are taking place and should highlight some practice that is not good enough. The challenge will be to work with those councils to make sure they do something about it.
My Lords, is the Minister aware that the CQC has drawn attention to the loss of 4,000 nursing home beds in the last year? Does he accept that this is a loss that the NHS could do without? What action are the Government taking to increase the number of nursing home beds in this country?
The noble Lord is quite right that the CQC report highlights that. It also highlights a broadly stable residential care home situation. What is changing the nature of care provision is the increase in the amount of domiciliary and community-based care that is being provided; we are seeing a shift there. The CQC report also shows big discrepancies across the country in terms of the proportion of beds per head of population. That is one thing we are trying to address, to make sure there is much more evenness of care.
My Lords, the CQC report emphasised the need to co-ordinate care by stating that in future it will report not only on the quality of care in individual providers but on the quality of co-ordination between services. It quotes examples of services working together using technology and innovation to share data and improve care. How do the Government plan to encourage this approach? Will they look at funding models to make sure that they encourage co-ordination rather than deter people from co-ordinating?
The noble Baroness makes an excellent point. We will certainly look at those funding models. Co-ordination, as we have been saying, is the way forward, because if you are a user of care in your eighties, you may be visiting a GP, you may be based in a nursing home, and to you, it ought to be one system and you ought to be travelling through it smoothly. Of course, we know that that is not the case at the moment, and the noble Baroness is quite right to highlight that there are great gains to be made, whether from having pharmacists in nursing homes or from having GPs coming to visit. Her point about technology and data is a good one. We still have an argument to win in reassuring people that their data are safe within the NHS so that they can be confident that they are used wisely for their direct care. That is the policy area I am now responsible for, since the election, so I am focused on providing that reassurance so that we can unlock the kind of innovation she is talking about.
My Lords, is the Minister able to give us any idea about when we may see the Green Paper for which some of us feel we have been waiting 40 years? Will it contain any revisiting of the Government’s response to the so-called Dilnot proposals about a cap on social care costs, about which there was so much confusion in the general election?
I am sorry to disappoint the noble Baroness but I am not able to give her any more details on the timing of the consultation.
Will the Minister reassure the House that the long-delayed Green Paper will address not just resources but some of the other points that have already been raised, and maybe one or two others? For example, how do we recruit, retain and motivate a high-quality workforce? How do we provide urgent support for many small providers, which are struggling to survive, let alone improve the quality of the service? How do we make use of the digital potential that exists, which is currently not being realised? How do we get a real integration of health and social care services around the client? Will he reassure the House that these issues will be addressed explicitly?
The consultation is looking primarily at the funding situation but in doing so it will have to consider the shape of the market and making sure that the whole system is put on a sustainable basis for the future, which obviously will involve looking at some of the issues the noble Lord has highlighted.
My Lords, first, I congratulate the Government on making £2 billion available to social care. That is very welcome, but there is great variation in social care across the country which needs to be tackled, as well as the need to focus and co-ordinate services between acute and social care. Can my noble friend the Minister say exactly how NHS England will be helped to ensure that this is tackled quite urgently?
The noble Baroness is quite right. In social care and the delayed transfers of care from hospitals, there is a huge amount of variation across the country. The additional money that was announced in the Budget comes with a variety of conditions, which has not been the case previously. One of these is to reduce the amount of variation in the quality of services available from local authority to local authority. For the first time, a set of reviews is taking place of local authorities—some of which will be facing challenges, others will not yet be—to make sure that that interface between the NHS and social care, which is one of the big problems where the system falls down, is looked at; that people are moving forward smoothly; that money is crossing those silos; and that the kind of service being provided is joined up and is actually providing for the needs of the people affected.
Race Disparity Audit
My Lords, with the leave of the House I shall repeat a Statement made by my right honourable friend the First Secretary of State in another place. The Statement is as follows:
“Mr Speaker, I wish to make a Statement about the race disparity audit, which the Government are publishing today through a new website—Ethnicity Facts and Figures—and a summary report, which I have ordered to be placed in the Library of the House. The audit was announced just over a year ago by the Prime Minister as part of her commitment to tackling injustices in society. This exercise has been unprecedented in scale, scope and transparency. It covers detailed data on around 130 different topics, from 12 government departments.
The first product of the audit is the website, which is created to be used by all citizens. It has been developed through extensive engagement with members of the public from across the UK, public service workers, NGOs and academics. I hope honourable Members will agree, once they have had the chance to examine it, that the website is clear and user-friendly. Each section of the website includes simple headlines and charts, and allows users to download all the underlying data.
Although the past few decades have witnessed great leaps forward in equality and opportunity in British society, this audit shows that there is much more still to do if we are to end racial injustice. In itself, that will sound to honourable Members like an unsurprising conclusion. However, the audit adds a lot more clarity and depth to that single challenge. It tells us in which public services there are the largest disparities, whether those are increasing over time or diminishing, and about the influence of poverty and gender on the wider picture. For example, black people were more than three times more likely than white people to be arrested and more than six times more likely to be stopped and searched.
There are three issues that demonstrate the added complexity of the data. First, there are significant differences in how ethnic minorities are doing in different parts of the country. For example, while employment rates are generally higher for white people than for ethnic minorities, there is a larger gap in the north than in the south. Also, if people are expecting a report that is relentlessly negative about the situation for ethnic minorities in Britain today, I am pleased to say that it is simply not the case that ethnic minorities universally have worse outcomes. For example, people of Indian and Pakistani origin have similar levels of homeownership to white people, though this is not true of other ethnic minorities. Secondly, on some measures there are very significant differences between ethnic minority groups. Education attainment data show there are disparities in primary school which increase in secondary school, with Asian pupils tending to perform well and white and black pupils doing less well, particularly those eligible for free school meals. Finally, on other measures, it is white British people who are experiencing the worst outcomes, for example in relation to self-harm and suicide in custody or smoking in teenagers.
In terms of what happens next, the data set out on the website present a huge challenge, not just to government, but also to business, public services and wider society. We hope this website will contribute to a better-informed public debate about ethnicity in the UK and support local managers of public services to ask how they compare to other services.
On behalf of the Government, I have committed to maintaining and extending the ethnicity facts and figures website. More importantly, I commit that government will take action with partners to address the ethnic disparities highlighted by the audit. We have made a start through initiatives such as the Department for Work and Pensions taking action in 20 targeted hotspots. Measures in these areas will include mentoring schemes to help those in ethnic minorities into work and traineeships for 16 to 24 year-olds offering English, maths and vocational training alongside work placements.
In the criminal justice system, I want to thank the right honourable Member for Tottenham for his recent report, and I am pleased to announce that the Ministry of Justice will be taking forward a number of recommendations made in the recent Lammy review. These will include developing performance indicators for prisons to assess the equality of outcomes for prisoners of all ethnicities, committing to publish all criminal justice datasets held on ethnicity by default and working to ensure that our prison workforce is more representative of the country as a whole.
In addition, the Department for Education will take forward an external review to improve practice in exclusions. This will share best practice nationwide and focus on the experiences of those groups who are disproportionately likely to be excluded. The House can expect further announcements on future government work to follow in the coming months.
The approach the Government are taking is “explain or change”. Where significant disparities between ethnic groups cannot be explained by wider factors, we will commit ourselves to working with partners to change them. The race disparity audit provides an unprecedented degree of transparency into how ethnicity affects the experiences of citizens. It will be a resource which tells us how well we are doing as a society in ensuring that all can thrive and prosper, and I commend it to the House”.
My Lords, I thank the Minister for repeating this Statement this afternoon. As he said, much more work needs to be done. It is good that we now have the Government’s race audit, although it is a shame it was delayed from its original release date in July. I am not sure why the Government made that decision to delay it.
The outcome of this race audit cannot come as a surprise to the Prime Minister. After all, in 2010 she wrote to the then Prime Minister that there is a real risk that women, ethnic minorities, disabled people and older people would be disproportionately affected by proposed cuts. But now, as Prime Minister, knowing full well the damage that would be caused by these cuts, she has said nothing to remedy the problems she foresaw as Home Secretary and has in fact made them worse.
We need solutions and a sustained effort to really tackle these injustices, and the Government are simply not yet providing those. I was pleased that the Minister mentioned the mentoring schemes. It is always good to have mentoring schemes for people, but we believe they are not ambitious enough. The closure of Sure Start centres and the closure of Connexions were mistakes made by this Government—knowing full well the disproportionate effect that these closures would have on groups with protected characteristics.
I have a number of questions for the Minister. Will he confirm how many groups and organisations were consulted as part of the race audit? Will he confirm whether there are plans to extend the audit’s analysis to devolved regions such as Wales, Scotland and Northern Ireland? Can he confirm for the House what steps the Government will take to tackle the racial disparities exposed in this audit and other reports released recently? What is their timescale for taking action, and what framework will they be using to judge improvements?
In the last general election, Labour issued a manifesto to tackle problems of discrimination. We said we would introduce equal pay audit requirements on large employers, implement the Parker review recommendations to increase ethnic diversity on the boards of Britain’s largest companies, and enhance the powers and functions of the Equality and Human Rights Commission, which is what we plan to do when we are in government.
I hope the Minister is able to provide us with answers to these questions today. We need a Government willing to take decisive action to tackle racial inequalities and I look forward to what the Minister has to say about how this audit will be implemented.
My Lords, this audit shines a light on the prejudice and bias that continue to blight the lives of black and ethnic minority members of our communities. It lays out the challenges we face as a society, which cross party lines. Mrs May, our Prime Minister, commissioned this audit and she cannot now shy away from tackling the causes, which are cuts to public services and a shrinking state. This comes alongside another report, by the Runnymede Trust, on the impact of austerity on black and minority ethnic women in the United Kingdom. It shows that BME households are being hardest hit by austerity, with a drop in living standards of 19.2% for black households and 20% for Asian households.
I have some questions for the Minister. Will each department be required to put forward a plan setting out why these disparities exist and how they will close the gap? What are the next steps? For example, will there be a Cabinet committee looking at this? Given the Prime Minister’s commitment to this cause, perhaps she might chair it herself. Finally, the Equalities and Human Rights Commission’s budget has been cut by almost 70% since it was created, and its current budget will be cut by a further 25% over the next four years. The Government are talking the talk by publishing this audit—but will they walk the walk and make available the resources to tackle these terrible problems that we face?
I am grateful to both noble Baronesses for their broad welcome of the publication of these statistics. On the question of the delay, no one has ever done this before and there was no template for us to follow. No other country has done this. It was a complicated exercise. We wanted to make sure that the data were of the right quality, and that has contributed to the delay from the hoped-for date earlier this year. We are taking steps to address some of the problems that have been mentioned, particularly the 20 hot spots, which we have not announced yet, where there will be special measures by the DWP to help those who find it difficult to get into work, such as mentoring, which the noble Baroness, Lady Gale, mentioned, traineeships and other steps to help people into work.
The noble Baroness asked a good question about the devolved regions. The Minister, my noble friend Lord Bourne, is meeting the devolved regions tomorrow. The initial indications are that the Welsh Assembly is quite anxious to participate but so far the Scottish Parliament has been somewhat more reluctant, as my right honourable friend said in another place. The devolved regions hold some of these statistics. We have provided only statistics for data that are reserved; the devolved Assembly and the Scottish Parliament have many of the local data. I very much hope that they will either join in this or take it forward in their own way. As I said, there is a meeting tomorrow to take this matter forward.
On the question of who was involved, the race disparity audit that was published at the same time said:
“Ongoing and wide-ranging consultation with potential users of data has helped identify questions of public interest and concern, and to understand how to present the data objectively and meaningfully in a way that makes sense to users and commands their confidence. This has included roundtable discussions with NGOs, public service providers and academics, and engagement with the public”.
So there was a fairly extensive consultation exercise before we published this.
In response to further questions that were asked, we expect there to be further announcements in due course from other government departments taking the agenda forward. In response to the noble Baroness from the Liberal Democrat Benches, there will be an interministerial group where all the departments involved will be represented to take it forward. The noble Baroness will be familiar with the Parker report, which looked at representation on executive boards, and we need to take that agenda forward. However, this is not just a matter for the Government; it also poses some difficult questions for those in the private sector.
“Explain or change” applies to the Government as much as to everyone else. We will have to explain why these figures are as they are. If there is not a good explanation then we will have to make changes, and we will come forward with those in due course.
My Lords, in the 1950s and 1960s it was perfectly legal to put adverts in shop windows saying, “No blacks or coloured people”. There has been a gradual improvement, but in the past few years here, in the United States and in much of Europe it has gone the other way. There is a lot of xenophobia, which was very evident in the Brexit debate. Does the Minister agree that to some extent that explains why we have this continuing problem?
The noble Lord is right to say that we in this country have made enormous progress. I was looking at the Equality and Human Rights Commission report Is Britain Fairer?, which says:
“The reader will find that Britain has become fairer in many areas. We should be proud of and celebrate these advances. If we do not recognise the positives, we run the risk of feeding an untrue and excessively negative narrative that suggests everywhere you look we are becoming more divided and less fair as a nation”.
I think there has been enormous change and improvement in social attitudes, underpinned by relevant race equality legislation. The noble Lord is right that there was a spike—I hope it was just a spike—after the referendum result, and that poses a challenge to all those government departments with responsibility for promoting good relationships. There is particular responsibility for the police on the law and order front. In publishing this document, we recognise that we have progress to make in a wide number of areas.
My Lords, I add my welcome for the publication of this report. Sunshine is often the best disinfectant, and bringing transparency to areas where more work needs to be done to tackle persistent inequality and prejudice is most welcome. I encourage the Government to develop a proactive agenda to tackle these issues. At the same time, there is some positive evidence in the report, particularly regarding the British Indian community, which comes top in a number of earnings and education indicators. For example, 35% of British Indians earn more than £1,000 a week, versus an average of 24% in that income bracket across the population; and 14% of British Indian children achieve three A grades or better at A-level. Does my noble friend agree that the British Indian community provides a role model for how a minority group can integrate successfully into British society and make a positive and outstanding contribution to this country?
I agree with my noble friend. One positive fact that emerged from this audit was that 85% of ethnic minority people believe that they are British and identify very strongly with their community. That is a very positive sign. My noble friend is right that in many of these indicators, the Indian community does well; but, by contrast, they reveal that the Bangladeshi community does not do nearly so well on many of the same indicators. We need to understand the reasons, address them and see whether we can bring those members of the ethnic minorities who do not achieve quite as well as the Indian community in the respect that my noble friend mentioned up to the same standard.
My Lords, although, let me be clear, the Church of England has nothing to teach anyone else on this subject—our record is not a good one—in the diocese of Chelmsford, where I serve, which includes the east London boroughs, which have some of the most diverse communities in Europe, we have found that of course there is racism and xenophobia but there is also what has been explained to me as unconscious bias. It is not quite the same as racism; it is those things which prevent us from seeing each other as clearly as we need to. Both in the Church of England generally and in the diocese where I serve, we have done a lot of training over the past couple of years to help people to see their own unconscious bias towards people, and this is already bearing fruit in the church context with black and global majority people coming forward into positions. I wondered whether the Government had looked at that both for us and in wider society to try to move the debate on beyond the binary thing of, “Somebody is a racist or they are not”.
I welcome the work which the right reverend Prelate has been doing in east London, in his diocese. If there is a template there, a model of working which can have wider application, of course the Government would be interested. One thing that I discovered from going on to the website this morning, which I had not appreciated before, is that black people are disproportionately more likely to engage in voluntary work than any other group. If one digs into the audit, there is a lot of good news there about ethnic minorities, which I hope we can now put in a wider domain. If we can build on the good work that the Church has done in east London and apply it to some other areas where there are big ethnic minority populations, the Government would be delighted.
My Lords, congratulations have already been received by the Government on publishing this race disparity audit. It has been well presented and the Prime Minister has done the country a good service. I understand from inside information that, of the 25 people around the Cabinet table this morning, there was only one under 40 years of age. It would be interesting to see the list of those who attended the Cabinet discussion this morning and to know why there was only one person under 40, given that some of the information made available to the newspapers reveals that many of the key factors affect those under 30. Does it indicate whether the Government’s relationships with people under the age of 30 may need a little enhancement and support to ensure that this race equality audit is put into place?
As the Minister referred to the fact that he looked at the audit this morning, perhaps he could also tell the House whether it says anything about the race profiling undertaken by customs officers, border control and police services. Although that may not necessarily relate to education or employment, it is infuriating, especially for black people, who find themselves consistently stopped, undermined and picked on. Sometimes it actually reverses their commitment to nationhood.
In response to the last question posed by the noble Lord, I have looked at the website and I think I am right in saying that it does not contain the data to which he has referred about those who are stopped at border control or customs. I shall double check that and, if I am wrong, I shall write to him.
On the broader point, I was not sitting around the Cabinet table this morning but, if I had been, I would certainly not have scored as being under 40. I shall make some inquiries but, in the Statement made by my right honourable friend in the other place, he said that there were 12 representatives of NGOs at that meeting and that there was a universally positive response. The representative of Black Vote said that this was a real opportunity to make transformational change.
I take the noble Lord’s point about those under 40. My party has a challenge in that regard, which we need to address between now and the next general election. But one good thing about the audit data is that they break down by age, showing for example that those offenders most likely to reoffend are between the ages of 15 and 18. So there is a lot of information about age there—but it is also broken down by ethnicity, which will help us to tackle particular areas in the criminal justice field.
My Lords, I did not intend to say anything on race, because I have spoken for 60 years in this country. There have been many changes, but we are not talking about black people—this is about white people, and the Aryan myth of white superiority. I would be very grateful if somebody did some sort of exercise to bring forth that myth of white superiority. We forget that education came from Africa to the west; noble Lords can look that up and will find out that it is true. I have had 60 years in race relations—and I gave up a career to work in that field because I was fortunate to have had a good education early on in the Caribbean. We do not have people coming to universities here from the Caribbean who are unworthy of taking their place without getting an access course. That is happening in white Britain. Before I die, please show me that you will look at that myth of white superiority and, for God’s sake, end that discussion.
I applaud the work that the noble Baroness has done over many years in the field of promoting better community relationships. One thing this audit does is to demolish the myth of white superiority. According to the indicators, white children leaving school do much worse than particular ethnic minority groups. As I said in the Statement, white children are more prone to smoke than children from other ethnic minorities. It helps to identify those areas in which ethnic minorities are outperforming the white British. If I refer to black people, that is the language used in the report, on the website and in the Statement. But I hope that when the noble Baroness has an opportunity to look at the website, she will find that some of her fears about promoting white superiority are allayed.
The race disparity audit is very welcome. I have worked in the race equality field since the mid-1980s, and I was a commissioner on the Equality and Human Rights Commission when the report to which the Minister referred about how fair Britain is came out some years ago. It is depressing that there are still areas that have not improved, through discrimination, poverty or class—through a variety of factors. It cannot be right that black and ethnic minority children are more likely to be excluded and are less likely to go to a decent university; they are more likely to end up in prison, and they also, perhaps, may have to change their names on their CV to get an interview. Lots of research has been done; those are the stubborn areas that we need to tackle.
A lot of this is new, but an awful lot of it is not and has been around for many years—we have been talking about it for many years. Will the Government undertake to have a coherent race equality strategy which, as my noble friend Lady Burt said earlier, is cross departmental, and whereby Secretaries of State have responsibility in their own departments to tackle this issue and make a difference?
I agree with much of what the noble Baroness has just said. If one looks at excluded children, which I did this morning, one sees that those most likely to be excluded are Traveller children and those in the Roma community. Publishing the figures highlights the fact that those children are more likely to be excluded. The noble Baroness is right that there are substantial discrepancies and differences between particular ethnic groups when it comes to exclusion. Now those who run our schools will have to explain or change—that is the whole purpose of the exercise.
On a coherent race equality strategy, again, I hear what the noble Baroness says. As I mentioned a moment ago, there will be an interministerial group to take this forward. I anticipate that there will be interest in both this House and another place now that we have published the report and the Government have explained how they are making progress in eliminating some of the discrimination that has appeared.
My Lords, in debating these matters, will my noble friend bear in mind the advice of the late Lord Bauer—the distinguished economist Professor Peter Bauer, at whose feet I was lucky enough to sit many years ago as an undergraduate—that sometimes the word “difference” is more enlightening than “inequality”?
Yes—and, again, if my noble friend has time to look at this, he will see that often there are very good reasons why there are differences. But he has given me some good advice and I will stop there.
My Lords, the Runnymede Trust has found that 59% of black Caribbean children, 44% of black African-Caribbean children and 61% of mixed race children grow up in a single-parent family, compared with an average in this country of 22%. The figures highlight the fact that it needs to be understood that many Afro-Caribbean fathers are identified as not being with the family at birth but are found to be there when the child is five. I have worked with many young black boys—and, indeed, white working-class boys—who feel the lack of a father. Will the Minister and his colleagues think when they decide how much to fund local authorities in future how harmful it is to such vulnerable families as these when funding for children’s centres and family support groups is cut, as it has been in recent years? These are the families who pay the greatest cost. They need the most support to stay together and intact so that we do not continue the generational breakdown in families.
The noble Earl is quite right. Again, I looked at some of the figures this morning. Children who grow up in single-parent families are disproportionately likely to have Afro-Caribbean mothers. That, of course, has a knock-on effect on the income of the household, which in turn has a knock-on effect on expectations and in some cases achievement. The specific question of how one recognises these challenges in the formula for the revenue support grant is one that I will pass on to the Secretary of State at CLG to make sure that he takes it on board as we look at next year’s RSG.
My Lords, I want to follow up on the previous comments of the noble Earl from the Cross Benches, which relate to what my noble friend Lady Howells said. We need to address busting the myths about one of the issues, which is the impact of families living with a single parent and the claim that there is always an impact. That myth is always about black parents. There are countless single-parent families in this country and many children have done well, so we should not continue to perpetrate this myth because it adds to the burden of racism that many families have to face. I welcome the audit and whatever it is going to deliver, but it would be very helpful if the Minister said what the timeframe is for explaining and for action. The noble Lord himself will know about some of the issues around disparity and discrimination—whatever we wish to call it—and the challenge of making ourselves a more equal and just society. He has many long-standing associations with Tower Hamlets. He knows all about this issue, as do other members of the Government. I want to be told about the parameters of action to be taken rather than about the audit or the changes envisaged, because change has obviously not taken place over a generation. Therefore, I would welcome a little more certainty about the timeline.
Change will not happen overnight; this will take some time to put right. On the first part of the noble Baroness’s intervention, there need be no more myths about growing up in single-parent families because the figures are now clearly set out on the website. She can see that there are significant variations according to the ethnicity of the family. The figures are there and we have to respond to that. On the question of government responses, I announced in the Statement some action that is being taken by the Ministry of Justice and the Department for Work and Pensions. There will be other announcements in due course from other departments as they take the agenda forward.
My Lords, I commend my right honourable friend the Prime Minister as she has been passionate about getting this issue on the agenda for as long as I have known her, which is a very long time. Could we start first with Whitehall? Many people of all ethnicities come into Whitehall but, when it comes to promotion, we seem to lose people of colour along the way and very few positions across Whitehall are held by people from ethnic minorities. I am not sure that mentoring is the answer, because I do not think you need it if you have an equal level of education.
My noble friend is absolutely right. The statistics showing the percentage of those from ethnic minorities employed in the public sector are in the report. She is right to say that there is good representation at the lower levels but much less as one goes up the chain. Again, that is a question for the Government to explain or change. If one looks at the Armed Forces, the Army has a relatively good record with some 10% of personnel coming from ethnic minorities, but the RAF has a less good record. Therefore, there are challenges for the Civil Service and those in the public sector to look at the figures and establish why those from ethnic minorities are disproportionately represented in the less well-paid posts.
My Lords, I welcome this report because it focuses on an issue that affects the whole of society, even more so than when I came here from Trinidad as a 10 year-old in 1960. I was born in Trinidad so I knew that I was worthy and I knew about my history, but a lot of young black and Asian minority children do not know about their history. It is Black History Month so I have visited schools, universities and prisons. Just this morning I visited a school in Bedfordshire to talk about Black History Month. When I visited prisons, I realised just how much black men did not know about their history and how they felt let down by the education system not focusing on who they are. To move forward you need to know where you have been and where you have come from. What are the Government doing to create a safety net and ensure that BAME children do not fall through it? We need a safety net to help and protect them and show them that they belong. We owe it to them and we owe it to our young people—not just black people but white people too—to teach them about black history and how we can all move forward to make our country, Great Britain, great again.
Again, I commend the work that the noble Baroness has done in this field. If I may say so, she is an admirable role model for those in our country. The specific question she raises—the extent to which one wants to change this issue and inject into it the dimension to which she referred—is one for the Department for Education and the national curriculum. I very much hope that schools will teach not just British history but history more generally, particularly in those areas where they have children coming from a wide variety of different backgrounds. I will certainly pass that suggestion on to my noble friend.
Data Protection Bill [HL]
That the Bill be now read a second time.
My Lords, I am delighted to be moving the Second Reading today and look forward gratefully to the help of my right honourable friend the Minister of State at the Home Office and my noble friends Lady Chisholm and Lady Vere.
New technologies have started innumerable economic revolutions, and the pace of change continues to accelerate. It is 20 years since we passed the last Data Protection Act, and since then we have seen the explosive growth of the world wide web, the rise of social media and faster and faster connectivity, powering new devices like the smartphone. The nature of developing technologies such as artificial intelligence and machine learning suggests that continuing transformation and change is the norm.
This has not escaped the notice of your Lordships’ House. Earlier this year we debated many of these issues in the new Digital Economy Act. We have a new Select Committee to examine artificial intelligence, chaired by the noble Lord, Lord Clement-Jones, who is not able to be in his place today as the committee is hearing evidence this afternoon. In March, the Communications Committee published a timely report on growing up with the internet, and just before the Summer Recess the EU Select Committee gave us a very helpful report on data protection. Just yesterday I moved the Second Reading of the Telecommunications Infrastructure (Relief from Non-Domestic Rates) Bill, which will help pave the way for a full-fibre future and 5G. Personal data is the fuel of all these developments. Data is not just a resource for better marketing, better service and delivery. Data is used to build products themselves. It has become a cliché that data is the new oil.
Twenty years ago data protection rights were used to obtain a copy of your credit record or to find out what information about you a public authority had collected. Today we worry daily about cyberattacks, identity theft and online crime. But we are fortunate that our existing laws have protected us well. For all the technological change I have described, we have successfully preserved our rights and freedoms, and we have strong oversight in the shape of an internationally respected Information Commissioner.
Looking ahead, we have three objectives. First, with all this change we need to maintain trust. Data must be secure, with transparency over how they are used and a proportionate but rigorous enforcement regime in place. Secondly, we must support future trading relationships. The free flow of data across international boundaries, subject to safeguards, must be allowed to continue. Thirdly, we must ensure that we can continue to tackle crime in all its guises and protect national security, making sure that our law enforcement agencies can work in partnership domestically as well as internationally.
The Data Protection Bill meets these objectives. It will empower people to take control of their data, support UK businesses and organisations through the change, ensure that the UK is prepared for the future after we have left the EU, and, most importantly, it will make our data protection laws fit for the digital age in which an ever increasing amount of data is being processed. The Bill meets and exceeds international standards, and, with its complete and comprehensive data protection system, will keep the UK at the front of the pack of modern digital economies.
The Bill makes bespoke provision for data processing in three very different situations: general data processing, which accounts for the vast majority of data processing across all sectors of the economy and the public sector; law enforcement data processing, which allows the effective investigation of crime and operation of the criminal justice system while ensuring that the rights of victims, witnesses and suspects are protected; and intelligence services data processing, which makes bespoke provision for data processed by the three intelligence agencies to protect our national security.
The reform of protections for the processing of general personal data will be of greatest interest to individuals and organisations. We are setting new standards for protecting this data in accordance with the general data protection regulation, known as the GDPR. Individuals will have greater control over and easier access to their data. They will be given new rights and those who control data will be more accountable.
In our manifesto at the general election we committed to provide people with the ability to require major social media platforms to delete information held about them, especially when that information related to their childhood. The new right to be forgotten will allow children to enjoy their childhood without having every personal event, achievement, failure, antic or prank that they posted online to be digitally recorded for ever more. Of course, as new rights like this are created, the Bill will ensure that they cannot be taken too far. It will ensure that libraries can continue to archive material, that journalists can continue to enjoy the freedoms that we cherish in this country, and that the criminal justice system can continue to keep us safe.
The new right to data portability—also a manifesto commitment—should bring significant economic benefits. This will allow individuals to transfer data from one place to another. When a consumer wants to move to a new energy supplier, they should be able to take their usage history with them rather than guess and pay over the odds. When we do the weekly supermarket shop online, we should be able to move our shopping list electronically. In the digital world that we are building, these are not just nice-to-haves; they are the changes that will drive innovation and quality, and keep our economy competitive.
The Bill will amend our law to bring us these new rights and will support businesses and others through the changes. We want businesses to ensure that their customers and future customers have consented to having their personal data processed, but we also need to ensure that the enormous potential for new data rights and freedoms does not open us up to new threats. Banks must still be allowed to process data to prevent fraud; regulators must still be allowed to process data to investigate malpractice and corruption; sports governing bodies must be allowed to process data to keep the cheats out; and journalists must still be able to investigate scandal and malpractice. The Bill, borrowing heavily from the Data Protection Act that has served us so well, will ensure that essential data processing can continue.
Having modernised our protections for general data, in Part 3 the Bill then updates our data protection laws governing the processing of personal data by the police, prosecutors and other criminal justice agencies. The Bill will strengthen the rights of data subjects while ensuring that criminal justice agencies can continue to use and share data to investigate crime, bring offenders to justice and keep communities safe. The Bill does not just implement the recent directive on law enforcement data protection; it ensures that there is a single domestic and transnational regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector.
People will have the right to access information held about them, although there are carefully constructed exemptions to ensure that investigations, prosecutions and public safety are not compromised. People will always have the right to ensure that the data held about them is fair and accurate, and consistent with the data protection principles.
Part 4 protects personal data processed by our intelligence agencies. We live in a time of heightened and unprecedented terrorist threat. We are all grateful for the work done to protect us, especially by those whom we see every day protecting us in this House. The intelligence services already comply with robust data-handling obligations and, under the new Investigatory Powers Act, are subject to careful oversight. My noble friend Lady Williams signed the latest commencement order in August to bring into force provisions relating to the oversight of investigatory powers by the Investigatory Powers Commissioner and the other judicial commissioners.
Data processing by the intelligence agencies requires its own bespoke data protection regime, not least because the GDPR standards were not designed for this kind of processing and data processing for national security purposes is outside the scope of EU law. That is why this part of the Bill will instead be aligned with the internationally recognised data protection standards found in the draft modernised Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data.
Noble Lords will be familiar with the role of the Information Commissioner, whose role is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Bill provides for her to continue to provide independent oversight, supervising our systems of data protection, but we are also significantly enhancing her powers. Where the Information Commissioner gives notices to data controllers, she can now secure compliance, with the power to issue substantial administrative penalties of up to 4% of global turnover. Where she finds criminality, she can prosecute.
The Bill modernises many of the offences currently contained in the Data Protection Act, as well as creating two new offences. First, as recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care, the Bill creates a new offence of the unlawful re-identification of de-identified personal data. To elaborate, huge datasets are used by researchers, as well as by those developing new methods of machine learning, and these are often pseudonymised to protect individual privacy. We need to ensure that those who seek to gain through re-identification are clear that we will not tolerate assaults on individual privacy, nor on the valuable data assets that are fuelling our innovative industries.
Secondly, the Bill creates a new offence of altering or destroying personal data to prevent individuals accessing it. Such an offence is already in place in relation to public authorities, but now it will apply to data controllers more generally. We are equipping the commissioner with the powers to deal with a wider range of offending behaviour.
Cybersecurity is not just a priority for the Government but a deep running concern of this House. Effective data protection relies on organisations adequately protecting their IT systems from malicious interference. Our new data protection law will require organisations that handle personal data to evaluate the risks of processing such data and implement appropriate measures to mitigate those risks. Generally, that means better cybersecurity controls.
Under the new data protection framework, if a data breach risks the rights and freedoms of an individual, data controllers—both for general data and law enforcement purposes—are required to notify the Information Commissioner within 72 hours of the breach taking place. In cases where there is a high risk, businesses must notify the individuals concerned. This landmark change in the law will put the need for serious cybersecurity at the top of every business priority list and ensure that we are safer as a nation.
As we move into the digital world of the future, the Data Protection Bill will both support innovation and provide assurance that our data is safe. It will upgrade our legislation, allowing the UK to maintain the gold standard in this important field. Of critical importance, strong protections of personal data are the key to allowing free flows of data to continue between the EU and UK as we build a new partnership. I look forward to hearing noble Lords’ comments on the Bill. I beg to move.
My Lords, I thank the Minister for his comprehensive introduction to the Bill. I look forward to working with him, in what seems to be a never-ending stream of legislation from the previously rather quiescent DCMS. This is our sixth Bill together, and long may it continue.
The Minister mentioned his talented team joining him on the Front Bench—this is a joint venture between the DCMS and the Home Office. On my side, I am joined by my noble friend Lord Kennedy and supported by my noble friends Lord Griffiths and Lord Grantchester.
I congratulate the Bill team on the excellence of the paperwork that we have received—I am sure everybody has read it, word for word, all the way through; it is worth it. They are obviously ahead early in the “Bill team of the year” stakes, a prize which they won easily last time on the Digital Economy Bill, and they are building on that.
We also welcome the chance to debate the excellent House Of Lords EU Committee report, not least because of the substantial weight of evidence that it has brought to this debate, which I will refer to later.
This is a tricky Bill to get hold of, first because of its size and volume. It is a bulky package and it is not even complete because we are told to expect a large number of amendments still being processed and not yet available which may—who knows?—change it substantially. Even without that, it has 300 paragraphs and 18 schedules, one of which helpfully signposts the way that the Government intend to make changes to the Bill so that the GDPR becomes domestic law when we leave the EU, even though the amendments to make that happen will actually be made by secondary legislation. This is “Hamlet” without the prince.
The GDPR itself, which runs to 98 paragraphs—or articles, as it calls them—and which will be the new data-processing law that comes into force in May 2018 whether or not we in Parliament have agreed it, is not actually printed in the Bill. That therefore raises the concern that—post Brexit, courtesy of another, separate Bill, probably by secondary legislation—the regulations will become UK law without ever having been scrutinised by either House of Parliament. I wonder if other noble Lords share my feeling that this is a bad precedent and, if so, what we might do about it. I suspect that this decision might have made sense were we to stay in the EU but we are going to leave, so there is a gap in our procedures here. That is compounded by the fact that this is a Lords starter Bill that comes to us without the benefit of consideration in the other place, and particularly without the usual evidence-taking sessions that ensure that a Bill meets the needs of those affected by it.
I have a suggestion: given the expertise displayed in the EU Committee report HL Paper 7 that we are debating in parallel today, could the authorities arrange for that committee to look carefully at the Bill and at the GDPR in its printed form and arrange for that committee to bring forward either a report or simply a testimony about what the GDPR contains, how it is reflected in the Bill and how it works? It would help the House to do the job that we ought to be doing of scrutinising this legislation. I gather that the committee is due to meet shortly and perhaps the noble Lord, Lord Jay, who speaks in a few minutes, might respond if he can. I am sorry for embarrassing him if he is not prepared for that.
The Government claim that the Bill,
“will bring our data protection laws up to date”,
“ensure that we can remain assured that our data is safe as we move into a future digital world”.
We will probe that rather florid assertion in Committee over the next few weeks, paying particular reference to the needs of business to have certainty about the rules that will be applied in this key sector of our economy in the medium and long term and the need for consumers, particularly vulnerable people and children, to be better supported and protected in this brave new digital world. What we are embarking on here is the precursor to the legislative nightmare that will accompany all our Brexit discussions. As we will hear from the noble Lord, Lord Jay, and others from the EU Committee who considered this, the key issues are what will happen if we leave the Common Market and the customs union, and whether there are any ways in which the Government can secure unhindered and uninterrupted flows of data between the UK and EU post Brexit. The report concludes that,
“any arrangement that resulted in greater friction around data transfers between the UK and the EU post-Brexit could hinder police and security cooperation. It could also present a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage”.
In his opening remarks, the Minister said all the right things about the Government’s commitment to unhindered and uninterrupted flows of data post Brexit, but the Bill comprehensively fails to set out how they plan to deliver that outcome. Worse, it may contain measures in Parts 3 and 4 that make it impossible to achieve the “adequacy” agreement, which is the only card that they have left to play post Brexit. You could not make it up.
Some 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with EU member states. Even if the Bill successfully aligns UK law with the EU data protection framework as at 25 May 2018, that does not mean that the Bill makes proper provision for the future. On the UK’s exit from the EU, the UK will need to satisfy the European Commission that our legislative framework ensures an “adequate level of protection”, but achieving a positive adequacy decision for the UK is not as uncontentious as the Government think. Under article 45, the GDPR requires the European Commission to consider a wide array of issues such as the rule of law, respect for fundamental rights, and legislation on national security, public security and criminal law when it makes its decision. As has already been pointed out by several commentators, the current surveillance practices of the UK intelligence services may jeopardise a positive adequacy decision, as the UK’s data protection rules do not offer an equivalent standard of protection to that available in the rest of the EU. We will need to pursue this disjuncture in Committee.
The Government seem to have lost sight of the need to ensure continuity during the transition period and afterwards. Surely they must have measures in place to reassure businesses that they will pass the adequacy test and ensure “stability and certainty”, particularly for SMEs, as pointed out by the European Union Committee. If there was any doubt about the importance of this, I draw the attention of your Lordships to a briefing from the ABI which states that the ability to transfer data between firms in different jurisdictions is of particular importance to our insurance and long-term saving providers, who rely on data to provide their customers with the best products at the best price. The association goes on to say that:
“Losing the ability to access, and make use of, European and international data flows risks isolating the UK from the increasingly globalised market. Creating a system where UK insurers have to abide by dual or multiple regulatory systems in order to transfer data internationally will create inefficiencies, legal uncertainty, and risks damaging the global competitiveness of UK insurance”.
My second point was also raised by the European Union Committee. It is about how to establish sustainable longer-term arrangements, about which the Bill is remarkably silent. Even if the UK’s data protection rules are aligned with the EU regime to the maximum extent possible at the point of Brexit, once we leave the EU, policies will be developed within the EU 27 without our input. The EU will inevitably amend or update its rules either by new regulations or by case law derived from ECJ/EU decisions. This is of course a toxic issue for Brexiteers, but it needs to be addressed in the Bill and, no doubt, in many other areas. Perhaps a way forward here would be for the Information Commissioner to have a duty placed on her to make regulations which reflect the changes taking place in the EU, or the Bill could provide for some form of lock-step arrangement under which statutory instruments would be triggered when UK laws need to be amended. We will look at this again in Committee.
I turn now to data protection. Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime. Ensuring that the public can trust that their data is handled safely, whether in the public or the private sector, is important for everyone. If we cannot get this right in the Bill, people will not benefit to the fullest extent possible from the new data-handling services which are coming on stream now and in the future. We welcome the Government’s decision—a rather surprising one—to gold-plate some of the requirements of the legal enforcement directive, particularly the fact that the Bill will ensure that for the first time the data protection regime applies to the intelligence services. Indeed, as the Information Commissioner has observed, including these provisions in a single piece of primary legislation is welcome, although there is a need for much more detail about how this will work in practice.
My point on this is that there seems to be an imbalance in the Bill, with much more consideration being given to the rights of data subjects. At a time of increasing concern about the use and misuse of personal data, is there not a need for a broader and far more ambitious set of regulatory structures for data capitalism, as it is now called? The big tech companies have for far too long got away with the conceit that they are simply neutral platforms. They are not; they are active media and information companies, and their stock market valuations are based on the data flows they generate and how they can be monetised. With that role surely should come broader societal responsibilities, but the Bill does not go into this area at all. There is nothing about regulating fake news, no attempt has been made to ensure that data companies are covered by competition and other regimes which apply to media companies, and there are no proposals to deal with the allegations being made about undue influence by social media companies and others on politics and elections both here and in the US. We will certainly table amendments in this area.
On more concrete issues about the rights of data subjects, we have a number of issues to pursue, although today I shall concentrate on only three: children and the “age of consent”, the rights of data subjects in relation to third-party use of their data, and the proper representation of data subjects. I shall end with some thoughts on the Leveson report and its implications for this Bill.
The Bill proposes to set the age at which children can consent to the processing of their data through “information society services” which include websites and social media platforms at 13 years. That is a surprising decision and no credible evidence has been adduced to support it. Understandably, there is much concern about this low age limit, particularly as the general data protection regulation gives discretion in a range up to 16 years of age. Last month, the Children’s Commissioner for England said:
“The social media giants have … not done enough to make children aware of what they are signing up to when they install an app or open an account”.
These are often the first contracts a child signs in their life, yet,
“terms and conditions are impenetrable, even to most adults”.
I think we can all say “Hear, hear” to that. The commissioner also said:
“Children have absolutely no idea that they are giving away the right to privacy or the ownership of their data or the material they post online”.
Setting an age limit of 13, or even 16, would almost certainly be illegal under the UN Convention on the Rights of the Child, to which the UK is a signatory. Perhaps the Government could respond on that point.
The Children’s Society argues that if companies continue to rely on their current practices—whereby they allow only over-13s to have an account but have no age verification process to check that children who are consenting are the age they state themselves to be—then there will continue to be widespread breaches of both the companies’ own rules and this new Data Protection Act. In the Bill, it is unclear how breaches will be handled by the Information Commissioner and what penalties will be put in place for those companies failing to verify age properly.
There is also no consideration in the Bill about capacity, rather than simply age, or protection for vulnerable children. Although there are arguments for setting the age limit higher—or indeed lower—there is surely a need both for proper evidence to be gathered and for a minimum requirement for companies to have robust age verification systems and other safeguards in place before any such legislation is passed. We will pursue that. There is also the question of the overlap this derogation has with the right to be forgotten, which the Minister mentioned. That right kicks in only at age 18; we need to probe why that is the case and how that will work in practice.
During Committee, we want to check that the current rules affecting data subjects’ personal data are unchanged by the new laws. Taking the data of workers and prospective workers as an example, there are concerns about where personal data has been collected: it should be gathered, used and shared by employers only following affirmative, meaningful consent. The recent disgraceful cases of blacklisting come to mind in that respect, and we are also concerned about whistleblowers’ rights. The House has been very strong on that point.
Concern about the increasing use of algorithms and automatic data processing needs to be addressed, perhaps requiring recording, testing and some level of disclosure about the use of algorithms and data analysis, particularly when algorithms might affect employment or are used in a public policy context. Related to that is the question of the restriction on data subjects’ rights in relation to processing data contained in documents relating to criminal investigations. Here, we agree with the Information Commissioner that the provision, as drafted, restricts not just access rights but the right to rectification, the right to erasure and the restriction of processing. We welcome greater clarification on the policy intent behind this as we go into Committee.
We welcome the Government’s proposal for an offence of knowingly or recklessly re-identifying de-identified personal data without the data controller’s consent. The rapid evolution of technology and growth in the digital economy has led to a vast increase in the availability and value of data. There is a clear need for robust safeguards against misuse in this area.
On representation, we welcome the provision in article 80(1) of the GDPR which gives greater ability for civil society and other representative bodies to act on behalf of citizens and mirrors consumer rights in goods and services. However, article 80(2) contains a provision that the Government have chosen not to implement, under which consumer groups that operate in the privacy field can act on behalf of data subjects without a particular complainant. We think that this super-complainant system would help to protect anonymity and create a stronger enforcement framework. We know we are supported in that belief by the Information Commissioner.
The wider question here is perhaps whether data subjects in general, particularly vulnerable ones, have sufficient support in relation to the power of media companies that want to access and use their data. Does any of us know what really happens to our data? The Information Commissioner’s Office already has a huge area of work to cover and may struggle to cover all its new responsibilities. Having a better system for dealing with complaints submitted by civil society bodies may be a good first step, but I wonder whether we might think harder about how this will be organised—perhaps modelled on the Caldicott data guardians.
Finally, there has been a lot of debate since the publication of the Leveson report on the cultural practices and ethics of the press, particularly on the role of a future regulatory framework. There has been far less discussion on Lord Leveson’s recommendations to extend data protection regulation. I reassure the Government that we do not see this Bill as an opportunity to rerun many of the excellent debates or table amendments that we have already considered in your Lordships’ House in recent years. Of course, much remains to be done in this field, and the Government’s lack of action is a national disgrace and a flagrant betrayal of the victims who trusted them and gave them a once-in-a-generation chance to sort out the situation, which they have comprehensively failed to take. However, if amendments of this type come forward, we will consider them on their merits, although a better approach would be for an all-party consensus to try to bridge the gap once and for all between the press and Parliament. I hope to have further discussions on this point.
I give notice that we will table amendments which probe why the Government have decided not to bring forward the Leveson recommendations covering: exemptions from the Data Protection Act 1998, available for investigative newsgathering by journalists; extending the scope for statutory intervention over the press by the Information Commissioner; and changes to the power, structure, functions and duties of the ICO relevant to the press. We will also probe whether the Government intend to implement amendments previously made to Section 55 of the Data Protection Act by virtue of Section 77 of the Criminal Justice and Immigration Act 2008, which would allow terms of imprisonment of up to two years to be imposed for offences of unlawfully obtaining disclosure of personal data. As the Information Commissioner has previously noted, this has much wider application than just to the press, because there is an increasing number of cases of blagging and unauthorised use of personal data which must be stopped.
The Government have set themselves a very tight timetable to pass this Bill into law before the end of April 2018. We will support the main principles of the Bill, but, as indicated above, many areas need to be scrutinised in depth before we can agree to them. I hope that we can gather more evidence and find a way of bringing Hamlet back into the play by looking in detail at the GDPR before it becomes the law of the land. If data is the new oil, we owe it to the country and particularly our children to get this right and to get our laws fit for the digital age.
My Lords, I am delighted to follow the noble Lord, Lord Stevenson, in this debate. I am a little puzzled, because some months ago I took part in a rather emotional debate where we said farewell to him on the Front Bench and, since then, they seem to have been working him harder than ever. As the Minister will already have gathered from his intervention, although he can look to the noble Lord’s support for the Bill, in many parts it will be like Lenin’s support for the social democrats: like a rope supports the hanging man. We will look forward to working with the noble Lord, Lord Stevenson, on many of the points that he has raised, not least on part 2 of Leveson.
I open this debate for the Liberal Democrats because, as the Minister has already explained, my noble friend Lord Clement-Jones is chairing the Committee on Artificial Intelligence this afternoon. He will return to the fray later in the Bill’s passage to do a lot of the heavy lifting with my noble friend Lord Paddick.
While wishing the Bill well, our approach will be to try to ensure that individuals have to the maximum extent possible control of their own data and that data are used responsibly and ethically by individuals and by both public and private bodies. This will be of particular concern in law enforcement areas where, for example, the use of algorithms throws up concerns about profiling and related matters.
It is clear that the Brexit decision and timetable will cast a long shadow as we debate the Bill. The Information Commissioner, Elizabeth Denham, has already warned that data adequacy status with the EU will be difficult to achieve within the Government’s Brexit timetable and a major obstacle has been erected by the Government themselves. The European withdrawal Bill makes it clear that the EU Charter of Fundamental Rights will not become part of UK law as part of the replication process, yet Article 8 of the charter relating to personal data underpins the GDPR. How then will we secure adequacy without adhering to the charter?
As the noble Lord, Lord Stevenson, indicated, there are many other issues relating to the GDPR and Brexit, particularly the need to examine and test the derogations in the Bill, which I am sure will be raised by colleagues and others and which we will probe further in Committee.
While referring to the Information Commissioner, I put on record our view that the Information Commissioner’s Office must continue to be adequately funded and staffed during this period of great uncertainty. The biggest changes since our debates on the Data Protection Act 1998, or even the early stages of the GDPR, which I was involved in as a Minister at the MoJ from 2010 to 2013, is that the threat to civil liberties and personal freedoms now comes not only from agencies of the state but from corporate power as well.
A week today, on 17 October, the Royal Society of Arts will host a discussion entitled “The Existential Threat of Big Tech”. The promotion for this event says:
“The early 21st century has seen a revolution in terms of who controls knowledge and information. This rapid change has profound consequences for the way we think. Within a few short decades the world has rushed to embrace the products and services of four giant corporations: Amazon, Facebook, Apple and Google. But at what cost?”.
That question prompts an even more fundamental question. We have become accustomed to the idea that some financial institutions are too big to fail. Are we approaching a situation where these global tech giants are too big to regulate? As a parliamentarian and democrat, every fibre of my being tells me that that cannot be so. We have to devise legislation and have the political courage to bring the global tech giants within the compass of the rule of law, not least in their roles as media operators, as the noble Lord, Lord Stevenson, indicated.
These modern tech giants operate in a world where the sense of privacy which was almost part of the DNA of my own and my parents’ generation is ignored with gay abandon by a generation quite willing to trade their privacy for the benefits, material and social, that the new technology provides. That is why we are so indebted to the noble Baroness, Lady Lane-Fox. Her speech in the debate she initiated in this House on 7 September is required reading in approaching the Bill. That speech contains her oft-repeated warning about sleepwalking to digital disaster, but it also robustly champions the opportunities open to a digitally literate society. I know that she will have an ally in my noble friend Lord Storey in championing better and earlier digital education in schools. The noble Lord, Lord Puttnam, recently pointed out that Ofcom already has an existing statutory duty to promote digital education. It will be interesting to learn how Ofcom intends to fulfil that obligation.
The elephant in the room always in discussing a Bill such as this is how we get the balance right between protecting the freedoms and civil liberties that underpin our functioning liberal democracy while protecting that democracy from the various threats to our safety and well-being. The sophisticated use of new technologies by terrorist groups and organised crime means that we have to make a sober assessment of exactly what powers our police and security services need to combat the terrorist attack and disrupt the drug or people trafficker or the money launderer. The fact that those threats are often overlapping and interconnected makes granting powers and achieving appropriate checks and balances ever more difficult.
On the issue of crime fighting, I recently attended a conference in the Guildhall, sponsored by the City of London Corporation, the Atlantic Council and Thomson Reuters. Its title was “Big Data: A Twenty-First Century Arms Race”. It could have been called “Apocalypse Now”, as the threat to business, the state and the individual was outlined, from existing technologies and from those fast approaching and identified. I was encouraged that there seemed to be an appetite in the private sector to co-operate with the police and government to ensure that big data can be effectively tamed to ensure better compliance, improve monitoring and reporting and prevent illicit financial flows. I will be interested to know whether the Government have a similar appetite for public/private co-operation in this area.
One point was made with particular vigour by Thomson Reuters. With offerings such as World-Check, it plays a key role in Europe and globally in helping many private sector firms and public authorities identify potential risks in their supply chains, customers and business relationships. It made it clear that it will be needing a number of clarifications in the Bill so that it will be able to continue to provide its important services, and we will probe those concerns and the concerns of others in the private sector in Committee.
In Committee we will also seek to raise concerns brought to us by Imperial College London and others about the efficacy of Clause 162 on the re-identification of de-identified personal data. We will need to probe whether the clause is the best way of dealing with the problem it seeks to address. I notice that the noble Lord, Lord Stevenson, gave it his approval, as did the Information Commissioner, but it is a legitimate question.
There is no doubt that the greater transparency and availability of data provided by government has contributed to citizens’ better understanding of and access to government information and services, but public concerns remain about the use of data in certain sectors. For example, although there are clear benefits to medical research from giving researchers access to anonymised medical data, it remains a matter of concern to the public, the media and the profession itself. Your Lordships will have received a briefing from the BMA on the matter and I am sure probing amendments will be required in Committee.
I am by nature an optimist, so I believe the noble Baroness, Lady Lane-Fox, when she tells us, as she did in this House a month ago, that,
“we can harness the power of these technologies to address the other great challenges we face”.—[Official Report, 7/9/17; col. 2110.]
In my youth I read Robert Tressell’s The Ragged Trousered Philanthropists, a parable about how working men were complicit in their own exploitation. We are in danger of becoming the 21st century’s ragged trousered philanthropists if we do not have a framework of law by which we can constrain big data from misusing the information we so profligately provide every day in every way.
I do not believe that sprinkling Bills with Henry VIII clauses is an answer to the challenge of future-proofing. Perhaps there is a case for expanding the remit of the National Data Guardian to act as an early warning system on wider data abuse—or that of the Information Commissioner or our own Select Committee—but there is a need. I fear that without some permanent mechanism in place, we will be for ever running up the down escalator trying to match legal protections to technical capacity. But that is no excuse for not trying to improve the Bill before us. We will work with others so to do. Looking at the speaking list, the Minister is not going to be short of good and expert advice on how to do that.
My Lords, it is always a pleasure to follow the noble Lord, Lord McNally. It is always a good thing when one optimist follows another. As chairman of the EU Home Affairs Sub-Committee, I will speak mainly about the EU Committee’s report on the EU data protection package, which we are debating alongside the Second Reading of the Data Protection Bill.
I understand that it is unusual procedure to debate a committee report alongside a Bill but I believe that it makes sense on this occasion. As the noble Lord, Lord Stevenson, said, the committee meets shortly—indeed, tomorrow—and I am sure it will consider his proposal, but taking into account how that would fit in with the traditional role of the committee and the programme we already have before us, I am sure the noble Lord will forgive me if I do not go further than that at this stage. We have not yet received a response to our report from the Government, which we await with keen anticipation, but we are pleased that this Second Reading debate has given us an opportunity to bring the EU Committee’s findings to the attention of the House.
In their recent Brexit position paper, The Exchange and Protection of Personal Data—A Future Partnership Paper, the Government said that they wanted to maintain free and uninterrupted data flows with the EU after we leave; and in proposing a new security and criminal justice treaty between the UK and the EU in her recent Florence speech, the Prime Minister laid out her ambition for a model underpinned by, among other things, high standards of data protection. Our report supports this objective: free and uninterrupted data flows matter to us all. But the committee was struck by the absence of clear and concrete proposals for how the Government plan to deliver that objective. The stakes are high, not least because the introduction of greater friction in data transfers could present a real barrier to future trade. It is hard to overstate the importance of cross-border data flows to the UK economy. Getting on for half of all large EU digital companies are based in the UK, and three-quarters of the UK’s cross-border data flows are with EU countries. What is more, any impediments to data flows following our withdrawal from the EU could seriously hinder police and security co-operation, and that means that lives, not just money, are at stake.
In our report, we considered four elements of the EU’s data protection package: the general data protection regulation—the GDPR—which the Data Protection Bill seeks to transpose into UK law; the police and criminal justice directive; the EU-US privacy shield, and the EU-US umbrella agreement. Both the regulation and the directive will enter into force in May 2018, while we are still a member of the EU. The agreements with the US are already in force, but will cease to apply to the UK after our withdrawal. Our report considers the Government’s policy options both short and long term.
The committee wanted first to look at possible data protection arrangements once the UK becomes a third country outside the EU, and we heard evidence on two broad options. The first option is for the UK Government to secure a so-called adequacy decision from the European Commission which would certify that the UK offered a standard of protection that was “essentially equivalent” to EU data protection standards. To date, the Commission has adopted 12 such decisions. The second option would be for individual data controllers and processors to adopt their own safeguards using tools such as standard contractual clauses and binding corporate rules. Our report comes to a clear conclusion that this second option would be less effective. The tools available to individual data controllers, including small businesses, are bureaucratic and would be vulnerable to legal challenges. We therefore agree with the Information Commissioner that the Government should seek an adequacy decision for the UK as a whole. This should offer certainty for businesses, particularly SMEs. It would also follow the approach taken by Switzerland, which has secured an adequacy decision from the EU. I am therefore pleased that the Government’s position paper also calls for a future relationship that builds on the adequacy model.
But there is a fly in this particular ointment. The general data protection regulation only provides for adequacy decisions for third countries, not countries leaving the EU. Decisions also follow a lengthy procedure, so the chances of having an adequacy decision in place by March 2019 are small. So to avoid a cliff edge, we will need transitional arrangements. The Government’s position paper acknowledges this but lacks detail. I hope that in responding to this debate the Minister will update us on the Government’s thinking on transition and perhaps provide some more of that detail. In particular, I hope that as a Home Office Minister she can comment on the risks facing law enforcement. One of the most striking findings in our inquiry was that as a third country the UK could find itself held to higher standards of data protection than as a member state. This will be the case both when the European Commission considers an adequacy decision and when the UK’s data retention and surveillance regime is tested before the Court of Justice, at which point we will no longer be able to rely on the national security exemption enjoyed by member states under the EU treaties. The United States has fallen foul of EU data protection law in the past, and it is not impossible that the United Kingdom will do the same when it is no longer a member state.
On a related theme, the committee also considered whether the UK’s data protection regime would continue to be influenced by EU legislation after withdrawal. What we found was that the general data protection regulation will continue to apply to transfers of personal data from the EU to the UK, significantly affecting UK businesses that handle EU data. If we obtain an adequacy decision, the rulings of the new European Data Protection Board and the Court of Justice will have an effect, albeit indirectly, by altering the standards that the UK will need to maintain an adequate level of protection. This means that there will be no clean break. We will also continue to be affected by EU rules on the onward transfer of personal data to third countries. This could be a particular problem in the field of security, whereby our approach to sharing personal data with, say, the United States could put any adequacy decision at risk. In summary, it seems likely that EU and UK data protection practices will need to remain alive long after we leave the EU.
The Bill that we are debating today reflects a comprehensive EU data protection regime which has been heavily influenced over the years by the United Kingdom. Withdrawal from the EU means that we stand to lose the institutional platform from which we have exercised that influence. The committee’s report therefore concludes that the Government must aim to retain the UK’s influence wherever possible, starting by securing a continuing role for the Information Commissioner’s Office on the European Data Protection Board. I am glad that the Government’s data protection position paper spells out our aim to do just that, but in the longer term, the Government will also need to find a way to work in partnership with the EU to influence the development of data protection standards at both the EU and the global level. The continued success of our commercial and security relations with the EU will depend on that.
My Lords, I thank the noble Lord, Lord Jay, for enabling us to discuss the EU data protection package alongside the Data Protection Bill, but I will address my comments to the Bill.
Although I also welcome the rights and protections for children that the Bill offers, not least the right to be forgotten, there is one very important point of detail where reconsideration is urgently needed, which has already been mentioned by the noble Lord, Lord Stevenson, namely the age of consent for children to give their personal information away online in exchange for products and services without a parent or guardian needing to give their permission. The proposals in Clause 8, as we have already heard, set this age of consent at 13. However, a recent YouGov survey of the public commissioned by the BCS, the Chartered Institute for IT, shows very little support for this. Indeed, a whopping majority of 81% thought the age should be set at either 16 or 18. The Bill’s Explanatory Notes state that the Government have chosen this age—the youngest possible allowed under the incoming GDPR rules—because it is,
“in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children (e.g. Facebook, Whatsapp, Instagram)”.
In other words, a de facto standard age of consent for children providing their personal information online has emerged, and that age has been set by the very companies that profit from providing these services to children. It might be that 13 is an appropriate age for consent by children to give their information away online, but surely that should be decided in other ways and with much greater reference to the public, and I do not think this has happened. It is certainly at odds with the results of this recent survey.
Moreover, Growing Up with the Internet, the recently published report of the Select Committee on Communications, on which I am privileged to serve, examined the different ways in which children use the internet through the different stages of childhood. We received lots of evidence that lumping together all young people between the ages of 13 and 18 was really not helpful, and that much more research was needed. To bow to the commercial interests of Facebook and others therefore feels at the very least premature, and the example of its usefulness given in the Explanatory Notes—that this would somehow ease access to,
“educational websites and research resources”,
so that children could “complete their homework”—somewhat naïve, particularly in the light of other conclusions and recommendations from the Growing Up with the Internet report, not least that digital literacy, alongside reading, writing and arithmetic, should be considered a “fourth R”; that the Government should establish the post of a children’s digital champion at the centre of government; that children must be treated online with the same rights, respect and care that has been established through regulation offline; and that all too often commercial considerations seem to be put first. So 13 might be the right age but it might not, and at the very least, further consultation with the public and with parents is needed.
My Lords, it is a great pleasure to follow the right reverend Prelate, who has touched on one of the points that have attracted most attention since the Bill was published and began to generate comment. I also hope that the committee of the noble Lord, Lord Jay, might be able to give us some kind of report and assessment on GDPR because, while I think the Bill is important in its own right, it is quite awkward to discuss it in the absence of a very important part of the regulations that will apply in this country or any assessment of the linkages or potential disparities that may exist between the two. I beg that the committee might consider this a priority.
I think the House will agree that this is an important use of legislation, and its scope is—necessarily, I think—very large. There is no real activity in society these days that does not generate data that is processed in some way. Because of the scale of data creation—the figures are extraordinary—usage continues to grow exponentially and personal data is extremely bound up in all that. All of us are affected by the data world. It is increasingly obvious that the functioning of the economy and of public services depends on the availability, accuracy and security of data. It is also key to wealth creation. It has become very clear in the series of strategies that the Government are producing at the moment that data lies absolutely at the heart of the way in which this country will be able to make its way forward and remain a prosperous society, and therefore that we have to get the regulation of data right. It is the basis on which we will advance general knowledge and welfare in society.
The Government have produced a Bill that enables us to tackle detail, and it is the detail on which this House will focus in later stages. It is impossible in a discussion of this kind to do justice to all the angles. I shall in later stages want to focus on the cyber and national security elements, but today I shall focus on what I regard as a potential opportunity, provided we get the regulatory framework right. That is research, which has not featured much so far in our deliberations.
The abundance of datasets that society simply has not had before opens up to us the possibility of types of research which can lead us to enormous discovery and greater beneficial activity and welfare. For instance, it will enable medicine to be put on an essentially personalised rather than generic basis, and the UK should have a huge advantage in the longitudinal data that the NHS possesses, which no other country can rival. It ought to be something where we can make a real pitch for both advancing welfare and increasing wisdom, knowledge and wealth in our society. Obviously, that depends on the use of data being proper and the regulation of it not getting in the way, which is not a theoretical issue. Existing legislation, which comes largely from the EU, combined with the way in which the precautionary principle has sometimes been applied, means that some kinds of trials in some fields in this country have now become so difficult to conduct within the EU that companies engaging in them have decamped elsewhere—often to the United States—to the intellectual and commercial impoverishment of Europe. That is a practical illustration of how important it is to get the balance between trying to regulate against abuse and the opportunities that you should leave open.
As the UK leaves the EU, it will be essential—I use the word “essential”—for the UK to be able to demonstrate adequacy. I hope the Government will assure us on that point and produce the necessary regulatory framework to enable it to happen. Some very big issues here have already been mentioned and I will not repeat them. Adequacy does not mean that the UK should simply cut and paste all EU legal provisions where reliance on national law and derogations are real options in front of us. There are some where we should be availing themselves of them. Nor do we need to make privacy safeguards—which are very important—so demanding that they become self-defeating, standing in the way of benefiting patients, in the case of medicine, and the community more generally.
The Government have made it clear that they want the Bill to support research, which is extraordinarily welcome. I hope that when she replies, the Minister will be able to say something about how the Government will approach the changes that will be needed to deal with research issues in the UK. The Bill classes universities as public bodies, and universities lie at the core of the research community. It is fair enough for universities to be classed as public bodies—that is what they are—but the legislation then denies them the right to invoke public interest, or even legitimate interest, as a basis for their research, and thus obliges them to seek explicit consent when using data at every stage of processing. This becomes very onerous if you are doing a long study. That may on the face of it seem reasonable but, in practice, it can do real harm. The whole point of research is that often at the outset it cannot be 100% certain where it may lead or whether further processing or trials may be necessary. You can get a situation in which unexpected and unplanned-for research is available and could yield real dividends. That is especially true of interventional research. If, as a result of wanting to take it to a further stage, the data processing demands that there should be another round of explicit consent, you get into a situation whereby universities—unlike some of the public bodies in government, which do not have to follow this procedure—have to go round again to all those who offered their personal data in the first place. Seeking the consent of holders of the data anew may simply not be possible, especially in long-term research projects. People move house or become incapable; they also die.
Even if those problems can be overcome—and I think they are real—there is a question of proportionality. Why make consent so onerous that it makes research too difficult in practice and too costly to engage in? There needs to be greater proportionality on this issue and greater alignment between the various bodies that use data in this way, and there needs to be some alternative to consent as the basis for engaging in some kinds of research. Numerous government mechanisms are available, not least ethics committees, which are a key component of modern research and could provide the necessary safeguards against abuse. I recognise that there need to be safeguards, but I suggest that we should use some imagination in how they could be brought about.
In this country, we are very rich in research conducted by voluntary, not-for-profit and charitable bodies. They often supplement what the public sector and universities are unable or unwilling to do, but they do not find a place in this legislation, which posits that all research of value is conducted by “professional bodies”—a definition that excludes many organisations doing valuable work under the terms of the existing law. That law is to be tightened up, which may create difficulties. I am associated with one such organisation, and I want to give a tiny illustration of the problems that arise as a result of being outside the field of professional bodies.
I am involved with an organisation called Unique, which deals with rare genetic disorders, whereby datasets to be useful have to be gathered globally. The number of people with those afflictions is so tiny in any given population that you have to go across the globe to connect useful datasets, which means in turn that you come up against some of the provisions that govern transnational transmission of data. However, the rarity of such individual disorders also makes every patient’s data precious to other affected individuals, because it is potentially a very tight community. No other organisation is dealing with that affliction in that way, and Unique can give support and advice to otherwise lonely parents and their equally isolated medics, who turn to Unique for information about alike cases. There is a network there.
By insisting on onerous consent regimes, we are in danger of disabling such organisations from continuing their pioneering work. In Unique, it is not uncommon for parents who have not been in touch for a long time suddenly to turn to it with a request for help. Try telling families, many of whom are not in the UK but are in third countries, who are coping with the daily stress of caring for a disabled child or adult, that they must be sure to keep up online with the stringent requirements of UK data legislation and that failing to do so will mean that they run the severe risk of no longer being able to get the kind of individualised attention and support that they seek from the very organisations set up to help them. The problem is that the law will lay down the need for the regular reconsultation and re-consent of individuals in very precise ways, and that such individuals might not reply, not understanding the potential hazards involved in failing to do so. One might say that data anonymisation might solve the problem. It solves some problems, but it creates new ones in an organisation set up for certain purposes where the idea is that one fellow sufferer can help another. So piling difficulties on small organisations—there are other difficulties that I have not even mentioned—might lead ultimately to an unwanted outcome, which will be a reduction in effectiveness.
I am not pleading for essential provisions on privacy to be disregarded. That would not be a sensible plea. However, I suggest that we are still in the foothills of the data-driven world and, while it is right to demand rigorous standards and strict enforcement, that is not the same as passing narrow and inflexible legislation that will have unwanted and unnecessary side-effects. The research base of this country needs a wider base for lawful consent and this legislation should recognise that not all valuable research fits into normal categories. I would like the Government to think about the possibility that they should allow for the creation of governance and accountability regimes that will fit special circumstances—and I am sure that we will come across others as we go through this legislation. The existence of the Information Commissioner should not result just in enforcing the law effectively and well; it should provide an opportunity for creativity under her auspices and the ability to create variations on governance regimes where they are needed.
My Lords, I welcome the modernisation of data protection law that the Bill represents and the intention to comply with EU law in the regulation and directive—which of course we must do while we are still in the EU. I am particularly concerned with the future and the prospects for an adequacy decision from the Commission if we find ourselves outside both the EU and the EEA. A failure to get such a decision would be extremely harmful for both businesses and other organisations and for law enforcement.
I will look briefly at the past. In 2013 in the European Parliament I was one of the lead MEPs establishing the Parliament’s position on the regulation. I believe that we did a decent job—that was before the negotiations with the Council, which watered it down somewhat. The Government rightly acknowledge that the new system will build accountability with less bureaucracy, alleviating administrative and financial burdens while holding data controllers more accountable for data being processed—backed up by the possibility of remedies for abuse including notable fines. But the purpose is to provide incentives to build in privacy from the beginning through such instruments as data protection impact assessments and having a data protection officer, through data protection by design and default—thereby avoiding getting to the point of redress being necessary. As an aside, the routine registration with the Information Commissioner’s Office will be abolished, and I am not aware of how the ICO will be funded in future, because that was a revenue stream.
I will say briefly that the new rights that are in the regulation include tougher rules on consent, so we should see the end of default opt-ins or pre-selected tick boxes. That will probably be one of the most visible things for consumers; I hope that it does not become like the cookies directive, which has become a bit of a joke. The need for explicit consent for processing sensitive data is important, as is the tightening of conditions for invoking legitimate interests.
There are several matters which will give improved control over one’s own data, which is very important. There is also the right to be told if your data has been hacked or lost—so-called data breach notification—and a strengthened ability to take legal action to enforce rights. All these are considerable improvements. However, I am rather concerned about the clarity of this very substantial Bill. It is explained that the format is chosen to provide continuity with the Data Protection Act 1998, but whether or not as a result of this innocent, no doubt valuable, choice, it seems to me that some confusion is thereby created.
First, there is the fact that the GDPR is the elephant in the room—unseen and yet the main show in town. You could call it Macavity the cat. The noble Lord, Lord Stevenson, dubbed the Bill Hamlet without the Prince. Traces exist without the GDPR being visible. Is the consequent cross-referencing to an absent document the best that can be done? I realise that there are constraints while we are in the EU, but it detracts from the aims of simplicity and coherence. Apparently, things are predicted to be simpler post Brexit, at least in this regard, when the GDPR will be incorporated into domestic law under the withdrawal Bill in a “single domestic legal basis”, according to the Explanatory Memorandum. Does that mean that this Bill—by then it will be an Act—will be amended to incorporate the regulation? It seems odd to have more clarity post Brexit than pre-Brexit. It would no doubt be totally unfair to suggest any smoke-and-mirrors exercise to confuse the fact of the centrality of EU law now and in the future.
Secondly, we seem to have some verbal gymnastics regarding what “apply” means. The departmental briefing says that the Bill will apply GDPR standards, but then we have the so-called “applied GDPR” scheme, which is an extension of the regulation in part 2, chapter III. Can the Minister elaborate on precisely what activities part 2, chapter III covers? The Bill says that manual unstructured files come within that category. I do not know how “structured” and “unstructured” are defined, but what other data processing activities or sectors are outside the scope of EU law and the regulation, and are they significant enough to justify putting them in a different part?
Looking forward, I want to mention some of what I see as the possible weaknesses in the Bill which might undermine the potential for an adequacy decision for data transfers to the EU and the EEA. The future partnership paper published in August, which has already been mentioned by the noble Lord, Lord Jay, referred to a UK-EU model which could build on the existing adequacy model. Can the Minister explain what that really means? As the noble Lord, Lord Jay, said, while national security is outside EU law, when it comes to assessing the adequacy of our level of data protection as a third country, we could find ourselves held to a higher standard because the factors to be taken into account include the rule of law and respect for human rights, fundamental freedoms and relevant legislation, including concerning public security, defence, national security, criminal law and rules for the onward transfer of personal data to another third country. Therefore, our data retention and surveillance regime, such as the bulk collection of data under the Investigatory Powers Act, will be exposed to full, not partial, assessment by EU authorities. This will include data transfers, for instance to the United States, which I would expect to be very much under the spotlight, and could potentially lead to the same furore as other transatlantic transfers. I lived through a lot of that. I remember that in 2013 there was a lot of flak about the actions of the UK, but nothing could be done about it because we are inside the EU. However, in the future it could.
There are also a number of aspects in the Bill in which the bespoke standards applied to intelligence agencies are less protective than for general processing, such as data breach reporting and redress for infringement of rights. We will need to give serious thought to the wisdom of these, looking to the future. This will not just be a snapshot on Brexit day or even on future relationship day, because at issue will be how our standards are kept up to scratch with EU ones. The fact that with another part of their brain the Government intend to decline to incorporate the European Charter of Fundamental Rights into UK domestic law, with its Article 8 on data protection, will not help the part of the governmental brain which looks forward to the free flow of data exchange with the EU. Our Government seem to be somewhat at cross purposes on what their future intentions are.
I will highlight, rather at random, some other examples which need reflection. We may need seriously to look at the lack of definition of “substantial public interest” as a basis for processing sensitive data, or even of public interest. I think the noble Lord, Lord Stevenson, mentioned the failure or the non-taking-up of the option under Article 80(2) of the regulation to confer on non-profit organisations the right to take action pursuing infringements with the regulator or court. This omission is rather surprising given that a similar right exists for NGOs, for instance, for breach of other consumer rights, including financial rights. Perhaps the Minister could explain that omission.
There is also concern that the safeguards for profiling and other forms of automated decision-making in the Bill are not strong enough to reflect the provisions of Article 22 of the GDPR. There is no mention of “similar effects” to a legal decision, which is the wording in the regulation, or of remedies such as the right of complaint or judicial redress.
Very significant is the power for the Government under Clause 15 to confer exemptions from the GDPR by regulation rather than put them in primary legislation. That will need to be examined very carefully, not only for domestic reasons but also because it could undermine significantly an adequacy assessment in the future.
I will make one or two points in the health and research area. The Conservative manifesto commitment to,
“put the National Data Guardian for Health and Social Care on a statutory footing”,
is not fulfilled in the Bill; perhaps the Minister could explain why not. I would also expect clarification as the Bill proceeds on whether Clauses 162 and 172 sufficiently protect patients’ rights in the use or abuse of medical records. We know this is a sensitive issue given the history in this area, particularly of care data and other attempts to inform patients.
As a final point, I am glad that the research community was broadly positive about the compromises reached in the GDPR, although they were less explicit than the Parliament’s position. That leads to some uncertainty. I took note of what the noble Baroness, Lady Neville-Jones, said. Therefore, close examination will be merited of whether the Bill provides a good legal framework with sufficient legal basis for research, which many of us have all sorts of interests in promoting, balanced with a respect for individual rights. I very much hope this will be explored carefully at future stages.
My Lords, many of my comments on the Bill are about data collection, usage and storage, particularly as it applies to research and, in particular, health research. In that respect, I will reference many of the comments on research made by the noble Baroness, Lady Neville-Jones, including health research generally and health research for people with rare conditions and how that data might be collected.
Given the rapid advances of data science and our capacity to collect, process and store vast quantities of data, such as genomic data for individuals, ensuring that data subjects have clear rights regarding how their data is used is vital. The recently published life sciences industrial strategy acknowledges both that fact and the significant potential of the data held within the healthcare system, especially for delivering better care and for the research sector.
The importance of getting the governance of personal data right is increasingly being recognised. The Royal Society and the British Academy recently published a report on data governance, calling for careful stewardship of data to ensure that the power and value of data are harnessed in such a way as to promote better human health and human benefit.
The Government have indicated that they recognise the importance of maintaining data flows across borders post Brexit, and that is positive. For instance, three-quarters of the health-related data flow from the UK is to the EU. As far as research is concerned, the relevant provisions of the Data Protection Bill mirror the GDPR and so should not generate problems for international collaborative research as it stands. However, it is imperative that international research that requires the transfer of personal data can continue without disruption post Brexit, and the example of rare diseases used by the noble Baroness, Lady Neville-Jones, is absolutely appropriate. In such situations, research often has to be co-ordinated and conducted across many countries, as there are few individuals with a particular condition in each country. My noble friend Lord Jay referred to the need for adequacy arrangements, and I think that that applies particularly in this area. Therefore, my question to the Minister is: will the UK, as a third country, seek an adequacy decision from the EU for data transfers in this respect?
I now come to Clause 7, which refers to alternatives to consent. The noble Baroness, Lady Neville-Jones, referred briefly to the problems that arise. For many uses of personal data, explicit consent is absolutely the right legal basis for processing that data, and it is positive that, with the GDPR, data subjects’ rights have been strengthened. Medical research will usually rely on a person providing informed consent for ethical reasons, but it is essential that there are alternatives to consent as a legal basis. That is because GDPR-compliant explicit consent sets a high bar for information provision that it may not always be feasible to meet. In many research resources, such as biobanks—I hope that my noble friend Lady Manningham-Buller will refer to that as the chairman of the Wellcome Trust, which is responsible for initiating the UK Biobank—the participants give consent for their pseudonymised data to be used.
In some studies it is not possible to seek consent, either because a very large sample size is needed to generate a robust result, and that would be practically difficult to obtain, or because seeking consent would introduce bias. The use of personal health data without specific explicit consent is sometimes essential for research for the health of the population. If researchers could not process medical records for research without specific explicit patient consent, they could not run cancer registries, which are extremely important in recording all cases of cancer; they could not monitor the hazards of medical procedures, such as the recently discovered implications of CT scans for long-term disease development; they could not assess the unexpected side-effects of routinely prescribed medicines; and they could not identify sufficiently large numbers of people with a particular disease to invite them to take part in trials for the treatment of that disease. The example I would give is the recruitment of 20,000 suitable people for the Heart Protection Study on statins, which has helped transform medical practice throughout the world. I am sure that many noble Lords use statins. This began with the identification of 400,000 patients with a hospital record of arterial disease and that information could not have been accessed without their permission. There are good examples of how this provision would cause a problem as it is enunciated in Clause 7.
We have a well-established, robust system of governance and oversight for non-consensual medical research in the UK; for example, through the Health Research Authority, a confidentiality advisory group, advising on Section 251 approvals to override the common law duty of confidentiality. Patient groups actively advocated for research exemptions during the passage of the GDPR—for example, through the Data Saves Lives campaign. I hope that, in Committee, we might get an opportunity to explore this further to see whether we can somehow modify the Bill to make this possible.
I come now to the public interest issues in the same clause. I understand that the Government intend the functions listed in Clause 7 not to be exhaustive, and to allow, for example, research conducted by universities or NHS trusts to use the public interest legal basis. Again, the noble Baroness, Lady Neville-Jones, briefly touched on that. It would provide much-needed clarity and assurance to the research community, particularly to those in the universities, if this could be made explicit in the Bill. A huge amount of research will rely on public interest as a legal basis. The Government have recognised the value of making better use of data for research, and the recent life sciences industrial strategy confirms the tremendous potential benefits for patients and the public if we can unlock the value of data held by public authorities and promote its use in the public interest.
There is currently a highly risk-averse culture in data protection, driven in part because people are unclear about the rules and what they can or cannot do with data for their purposes—hence I referred to the need for better governance of the data. This is why the public interest legal basis matters so much for research. The DP Bill is an opportunity to set out very clearly what the legitimate basis for processing personal data can be. Setting out a clear public interest function for research will give researchers confidence to know when they are operating within the law. If necessary, any specification of research in Clause 7 could be qualified by safeguards to ensure that the legal basis is used only when appropriate.
Can the Minister confirm that research conducted by, for example, universities or hospitals could use the public interest legal basis for processing personal data? Again, we may have an opportunity to explore this further in Committee.
I come now briefly to Clause 18 and the issue of safeguards. Where exemptions from data subject rights exist for research, robust safeguards to protect data subjects’ rights and interests are essential. Clause 18 transposes Section 33 of the Data Protection Act into the new Bill, but it will have wider application than it did in the Data Protection Act. Under the Data Protection Bill, all medical research undertaken without consent as the legal basis will be subject to the safeguards of Clause 18. Clause 18 prohibits the processing of personal data to support measures or decisions with respect to particular individuals. This is clearly problematic for any research that involves an intervention for an individual, which forms the bedrock of our understanding of a vast range of treatment for diseases.
Let me give the House some brief examples. Clinical trials and other interventional research will be undertaken with the consent of patients, which is ethically essential. However, the standard of consent may not be GDPR compliant as it is not always possible to specify how the data might be used beyond the purpose of the trial itself. Consent is therefore not the appropriate legal basis for much interventional research. This means that the safeguards built into the Data Protection Bill for processing or research purposes will apply. Clause 18 should not apply to interventional research. That research requires the processing of personal data to make decisions about the data subject as that is part of the necessary research design and oversight. If researchers cannot process data in that way, they will not be able to process information about a patient’s condition to assess whether they are eligible to participate in a clinical trial. They will not be able to process information about a patient’s condition to determine to which arm of the trial they should be allocated. They will not be able to remove individuals from a clinical trial if evidence arises of potential adverse effects during the course of the trial. There are significant implications.
A potential solution to this problem would be to modify Clause 18 to exempt research that has been approved by an ethics committee or some other such established safeguard. Implementation of the GDPR through the Data Protection Bill is an opportunity to provide clarity for researchers about the legal basis for processing personal data and the requirements of accountability, transparency and safeguards. At present, there is a great deal of conflicting advice about the implications of the GDPR and there is a risk that organisations will adopt an unnecessarily conservative approach to data protection for fear of committing breaches.
I should like to make two minor points. The Government have committed themselves in their response to Caldicott 3 to putting the National Data Guardian on a statutory footing by 2019. Do the Government intend to table an amendment to do that in this Bill? If they do not, the opportunity will be lost.
Lastly, the noble Lord, Lord Stevenson of Balmacara, mentioned the age of consent for children. The age of 13 seems a ridiculously low age for consent and I would support any amendments that he might introduce.
My Lords, it is a pleasure to follow the noble Lord and listen to his important comments on health data and particularly consent. I thought how brave he was with his data machine. I would worry that my pearls of wisdom would disappear somewhere into the ether, but luckily that did not happen to him.
This is a welcome and necessary Bill. It is not perfect, but I leap to its defence in at least one respect—namely; the absence of the GDPR regulations themselves from the Bill. On the Government’s website, there is a truly helpful document, the Keeling schedule, which sets out how the GDPR intersects with the text of this Bill. After noble Lords have read it a few times, it comes close to being comprehensible.
I will touch on one or two of the imperfections of the Bill that have been drawn to noble Lords’ attention by bodies such as ISACA, techUK, Citibank, Imperial College and others, and I am grateful to them for doing that. I declare my interest as chairman of the Information Assurance Advisory Council and my other interests as in the register. While the Bill has its flaws, I am sure that in Committee and on Report we shall be able to see whether improvements might be made.
The Commission says that the aim of the new rules is to,
“give citizens back control over their personal data, and to simplify the regulatory environment for business”.
The Commission has estimated that this would lead to savings of around €2.3 billion a year for businesses. But while the rules might make things simpler for businesses in that respect, it is possible that they will also make it easier for citizens to demand to know what information is held on them in paper form as well as in digital form. In fact, that is one of the main purposes of the Bill. So we might find that businesses have more rather than less to do. I wonder whether that has been costed. It is a good thing that citizens should find out what information people hold on them, but we should not pretend that the exercise will be free of cost to businesses. The Federation of Small Businesses estimates an additional cost of £75,000 per year for small businesses, and obviously much more for larger ones.
The Bill contains a bespoke regime for the processing of personal data by the police, prosecutors and other criminal justice agencies for law enforcement purposes. The aim of this, which is laudable, is to,
“ensure that there is a single domestic and trans-national regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector”,
but what is the law enforcement sector? To what extent do banks, for example, fall into the law enforcement sector? They have obligations under the anti-money laundering rules to pull suspicions together and to share those across borders—not just across European borders but globally. How are those obligations tied in with the GDPR obligations in the Bill? Businesses, especially banks, will need to understand the interplay between the GDPR regulations, the anti-money laundering regulations and all of the others. The Government would not, I know, want to create the smallest risk that by obeying one set of laws you disobey another.
That sort of legal understanding and pulling things together will take time. It will take money and training for all organisations. There is a real concern that too many organisations are simply hoping for the best and thinking that they will muddle through if they behave sensibly. But that is not behaving sensibly. They need to start now if they have not started already. The Federation of Small Businesses says that:
“For almost all smaller firms, the scope of the changes have not even registered on their radar. They simply aren’t aware of what they will need to do”.
Yet it goes on to say that,
“full guidance for businesses will not be available until next year, potentially as late as spring. The regulator cannot issue their guidance until the European Data Protection Board issue theirs”,
so there is a lot of work to be done.
I shall touch on three other issues at this stage of the Bill. The first is Clause 15, which would allow the alteration of the application of the GDPR by regulations subject to affirmative resolution and that could include the amendment or repeal of any of the derogations contained in the Bill. I share the concern expressed by the noble Baroness, Lady Ludford, on that and we will need to look at it.
Secondly, there are various issues around consent. The only one that I will mention is that the Bill provides that the age of consent for children using information society services should be 13. The right reverend Prelate the Bishop of Chelmsford mentioned the YouGov survey about that. I actually believe that the Government have this right. It recognises the reality of today’s social media and the opportunities that the digital world brings, and the Bill also protects young people to some extent by the right to have information deleted at the age of 18. TechUK agrees and so does the Information Commissioner. But if the public do not—and from the sounds of the YouGov survey they do not—there is a lot of work to be done in explaining to people why the age of 13 is the right one.
There is a technical issue that I simply do not understand. The GDPR rules state that the minimum age a Government can set for such consent is 13, and in this Bill, as we know, the Government have gone for the minimum, except in Scotland. Scotland is dealt with in Clause 187 of the Bill and there it seems that the minimum age is 12, unless I have this completely wrong. How do the Government square that with the GDPR minimum of 13?
My final point echoes one raised by the noble Lord, Lord McNally, relating to the issue of the re-identification of personal data which has been de-identified, as set out in Clause 162. The clause makes it a crime to work out to whom the data is referring. The very fact that this clause exists tells us something: namely, that whatever you do online creates some sort of risk. If you think that your data has been anonymised, according to the computational privacy group at Imperial College, you will be wrong. It says:
“We have currently no reason to believe that an efficient enough, yet general, anonymization method will ever exist for high-dimensional data, as all the evidence so far points to the contrary”.
If that is right, and I believe it is, then de-identification does not really exist. And if that is right, what is it in terms of re-identification that we are criminalising under this clause? In a sense, it is an oxymoron which I think needs very careful consideration. The group at Imperial College goes on to suggest that making re-identification a criminal offence would make things worse because those working to anonymise data will feel that they do not have to do a particularly good job. After all, re-identifying it would be a criminal offence, so no one will do it. Unfortunately, in my experience that is not entirely the way the world works.
We can come back to all of these issues in Committee and consider them further, and I look forward to the opportunity of doing so. This is not just a worthwhile Bill; it is an essential and timely one, and I wish it well.
My Lords, I have spoken extensively about the imperative to maximise online safety for children and of the need to provide the right tools to empower parents to help keep their children safe online. This will continue to be my priority as we discuss the Data Protection Bill at all its stages. Parents often feel that their children know rather more about accessing the technology than they do, but they still have a role and responsibility to guide their children, and this extends to the topic before us today—the child’s personal data.
During the extensive debates in this House on the Digital Economy Bill, we discussed what young people below the age of 18 should and should not see, and we voted to require a code of practice for the providers of online social media platforms, which is now Section 103 of the Act. In all our discussions about children during those debates, we were referring to individuals under the age of 18, and there was no dispute on the point. I am disappointed that nowhere in the Data Protection Bill’s 208 pages is a child defined as a person under the age of 18.
This Bill puts before us another dividing line between childhood and the influence of parents, the effect of which is nothing if not confusing. Clause 8 states that a child of 13 years can consent to providing data to information services; that is, they can sign up to social media sites and so on. By contrast, the default in the European General Data Protection Regulation is that a child should be 16 years old to be able to give “digital consent”.
The Explanatory Notes state of the age of 13:
“This is in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children”.
These are contracts driven by decisions under United States federal law in the form of the Children’s Online Privacy Protection Act of 1998. However, the world of technology and what is at our children’s fingertips has changed significantly since 1998. What might have seemed good then does not mean that it is now.
Furthermore, given all the concerns expressed over recent months about the actions of social media sites, the current contracts of these sites should not be driving government policy; rather, the primary factor should be what is best for children and young people, and what is best should be established through a solid evidence base. I hope that the Minister will set out the Government’s evidence-based reasoning for using the age of 13 and tell us what evidence has been collected by the DCMS from children’s charities and those representing parents and others with an interest in these matters.
Choosing the right age for children to consent to signing up to these websites is far from a straightforward issue. I am aware that there is concern among children’s charities that setting the age of digital consent at 16 could lead to an increase in the grooming of young people by abusers, something that none of us in this House would wish to see. The Children’s Society has said that, if Parliament sets the age in Clause 8 at 16, significant changes should be made to the grooming and sexual offences legislation.
I have also received briefing material from BCS, The Chartered Institute for IT, which suggests that there is significant public support for the age being 16 or 18 and very little support for the age being 13. I understand that parents favour firmly the age of 18, so clearly there is a lot of room for discussion, and no doubt we will have it during Committee. In this context, I would like to suggest that the Government should launch an immediate public consultation on this point so that the House can make a fully informed decision before the Bill moves to the other place. Right now, either end of the age spectrum looks like it has dangers.
I also hope that the Minister will set out some clarification of the intentions of the Bill in relation to the consent of children. Paragraph (6) in Clause 8 includes an exemption for “preventive or counselling services”. Does that mean that a child could give their consent to these websites before the age of 13 or not at all? What is defined as a “preventive or counselling service”?
Clause 187 gives further criteria for the consent of children, but only children in Scotland, where a child’s capacity to exercise their consent should be taken into account, with the expectation that a child aged 12 or over is,
“presumed to be of sufficient age and maturity to have such an understanding”.
The Explanatory Notes to the Bill state that this clause must be read with Clause 8, which provides that the age limit is 13. Is Clause 187 intended to say that the age of digital consent cannot go below 13, which is the position of Article 8(1) of the GDPR, or that there might be circumstances when a child who is 13 cannot consent for genuine reasons? Either of these scenarios seems to give rise to confusion for children, parents and the websites that children access.
After all the detailed discussions about age verification that we had earlier in the year, there is an argument for age verification to apply to Clause 8. How will websites that require a child to verify that they are 13 years old ensure that the child is the age that they say they are without some requirement for the site to prove the age of the child? This is surely a meaningless provision. I hope that when the Minister comes to reply, he will set out the Government’s position on this matter and explain what penalties a website which breaches this age requirement will face.
Finally, I hope that the Minister will give us an update on the publication of the Green Paper on internet safety and how the digital charter that was announced in the Queen’s Speech will play into this Bill during its passage through this House and on to the other place.
My Lords, it is a pleasure to follow the noble Baroness, Lady Howe, and to recognise her expertise in discussing the issues around children’s protection. I share many of her ideas. I welcome the Bill, and echo other noble Lords in recognising that it has enormous significance and is very timely. I am grateful for the clear explanation of the EU Committee’s report, which showed the complexities of the continuing interrelationships between this country’s legislation and that of Europe and the way in which we will have to deal with that for many years to come.
At this stage, it is worth reminding ourselves—or at least reminding myself—that we are talking about so many areas of our society today and so many aspects of 21st century life which we are aware that not all of us understand. I know there are many experts in this field. I refer in particular to the noble Baroness, Lady Lane-Fox, who will speak after me, when I say that there are people who clearly understand all the implications of the wider digital economy. However, I put myself among the majority of the population when I say that, although I am aware of the vast number of ways in which the digital revolution impacts on and, perhaps somewhat frighteningly, dominates our everyday lives, it is almost impossible for most of us to know how and by whom our personal data is being collected, with whom it is shared and to whom it is probably sold. Therefore, robust protection of privacy and the ethical regulation of data are essential if we are to continue with our democratic principles.
My noble friend on the Front Bench, Lord Stevenson, has already referred to some of the gaps that he sees in this legislation; no doubt those will be referred to and returned to at a later stage. I am concerned that the way some of the Bill is drafted already suggests that we are once again moving into that area where the role of this House and the other place is diminished by so much secondary legislation being proposed. I do not apologise for raising yet again, as I have in previous debates, what I see as a paradox: so much of the support for Brexit depended on the restoration of parliamentary sovereignty to Westminster, yet when we come to look at the detail of some of the Bills to implement some of the implications of Brexit—particularly in this kind of complex area—we find that the presentation is often based on secondary legislation where the role of this House, particularly in scrutinising and revising, and that of the other place, is somewhat diminished. It seems an extraordinary paradox to me.
Noble Lords have already referred to Clause 15, which is particularly worrisome in this area. It would clearly permit alterations by the affirmative action procedure. It will be important, when we debate the detail of the Bill, to recognise that professional bodies are already mentioning that as a concern. As was mentioned briefly by a previous speaker—I think it was the noble Lord, Lord McNally—I draw the attention of the House to the British Medical Association having drawn particular attention to the potential problem of regulations being altered in this way. Noble Lords will be aware that the security of sensitive healthcare information is clearly essential to good medical practice. The BMA is now concerned that the centrally important trust in doctor/patient relationships may be threatened in future if changes in data sharing can be fast-tracked without proper scrutiny through the secondary legislation process. Again, the House will be aware that, as the law stands, healthcare information has special protection through the common-law duty of confidentiality. I hope it will be possible for the Government to assure the House, at the earliest opportunity, that the proposed regulatory powers will not be overridden in that way, and in particular that that crucial safeguard will continue to exist. It may be possible to give a general assurance on the general procedures on regulation.
I turn to some of the questions which arise from what I describe as general ignorance about the uses and abuses of personal data in the global digital economy. My noble friend Lord Puttnam, who is unavoidably away today—and who is a greater expert and far more authoritative in this field than me—wanted to contribute to the debate by suggesting some ways of improving the situation of so-called digital literacy by means of the Bill. With his permission, I will mention his proposals, which I am sure he will return to at the later stages. It is, of course, completely extraordinary to me that when my noble friend Lord Puttnam and I worked together in 2003 on the Communications Bill, that Act contained no reference to the internet. In the 14 years since, we have all become familiar with so many digital concepts: standardised algorithms, bots, big data and what is increasingly referred to as “data capitalism”. We are familiar with the words, but I am not sure that we all understand their implications for privacy and personal data.
It has been said this afternoon that national Governments now face the legal and technical challenge of trying to regulate international communication and information flows, which are largely controlled by a handful of American-based internet corporations. In this parliamentary Session, I have the privilege of sitting on your Lordships’ Select Committee on Political Polling and Digital Media. We are investigating the questions of accuracy and transparency thrown up by using internet data in politics. We are only beginning to uncover the complexities and threats that the new systems create. Again, in this context, in the last year we have all heard about so-called fake news and possibly even Kremlin-inspired online intervention in western democracies. Only yesterday, there were reports of operatives using individual Facebook accounts to generate support for President Trump; but is it possible to influence effectively, or control, any of that in the public interest? As a good democrat, the noble Lord, Lord McNally, remains optimistic, but I find it very hard to see how an individual Government can act legislatively to moderate the growing tsunami of online data exchange—and how through the law we can protect individuals from manipulation and exploitation.
A possible route that, optimistically, could influence behaviour and protect citizens from the most egregious breaches of their privacy is through public education. That is obviously a long-term project. Creating better-informed consumers who understand how their shared personal data may be used, and what may happen to data when it is passed on, would clearly be an advantage. That is important when we are talking—as the noble Baroness, Lady Howe, and other contributors did before me—about young people growing up with the internet. They are the greatest users of every type of social media but, although they may be technically adept, they are often the most ignorant about what they are signing up to or giving away when they use seductive sites or post so much information online.
I welcome the provision in the Bill that allows young people to remove content—the right to be forgotten. However, I share the concerns of the noble Baroness, Lady Howe, the right reverend Prelate and others about the age of consent being 13. As a grandmother, as they say, I would be very happy to see that age raised. As referred to by the right revered Prelate, who is not in his place, it is interesting that, when surveyed, 81% of the general public wanted to try to raise that age. I hope we will return to this issue at a later stage.
It is important to look at some of the fundamental issues about how we can achieve better public education in this field. Do we need to think again about how to achieve a digitally literate population in the true sense, which in turn could hopefully influence the attitudes and actions of the big tech companies and change the opinion of the world? That may be a more sensible way to proceed than continuing to make what may be vain attempts to regulate the ever-expanding web. The House will remember, as the noble Lord, Lord McNally, has already said, that in the original Communications Act 2003, Ofcom was given the specific duty of promoting “media literacy”. In that Act—perhaps I may quote from it—the duty is very broadly based. First, it is,
“to bring about, or to encourage others to bring about, a better public understanding of the nature and characteristics of material published by means of the electronic media”.
Secondly, it is,
“to bring about, or to encourage others to bring about, a better public awareness and understanding of the processes by which such material is selected, or made available, for publication by such means”.
However, since the passage of the Bill, Ofcom seems largely to have interpreted these responsibilities in rather a narrow and perhaps pragmatic way. For example, it has asked how we can ensure that the elderly population has appropriate access to digital technology and how internet drop-out areas, or areas where it is difficult to achieve broadband, can be improved?
My noble friend Lord Puttnam is therefore proposing that in Part 5 of the Bill, which covers the Information Commissioner, a wider duty be placed on the commissioner to act with Ofcom, and indeed with the Department for Education and the DCMS, on the use and abuse of personal data. He sees this as something that could be included by amendment in the “general functions” of the commissioner or established under a separate code of practice. He suggests that a code of practice could, for example, confer special responsibilities on the big technology giants to engage in the collaborative development of digital media skills. It does not seem naively optimistic to think that this type of statutory leverage could be influential. It could be a useful exercise of “soft power” to achieve more informed and responsible internet use by both providers and consumers. Effective and proper digital literacy is an approach that would avoid the continuing search for a national regulatory solution to some of the problems of the global digital economy—it may be long-term but it seems worth undertaking. I am sure my noble friend Lord Puttnam will table amendments in Committee.
I welcome the Government’s intention to update and strengthen a robust system of data protection. It is certainly an ambition that has recently been made more difficult both by corporately owned global technology giants which transcend the authority of national Governments and by the huge expansion of internet technology. I am glad that the Bill has started in this House, as I am sure it will, as always, be improved by your Lordships’ scrutiny and revision.
My Lords, happy Ada Lovelace Day. How prescient of the Whips and the Minister to pick today for Second Reading. To remind colleagues who might be wondering: she was one of the great innovators of computing in the 19th century. She worked with Charles Babbage on his computational engine, she was the first to recognise that the machine had applications beyond pure calculation, and, in fact, she probably created the first algorithm intended to be carried out by that machine. As part of that, she is often regarded as the first to recognise the full potential of computing, so it could hardly be more apt to pick today for this Second Reading debate, in which we are probably looking at the consequences of the work that she started all those years ago.
The Government’s ambition is to,
“make Britain the best place to start and run a digital business; and … the safest place in the world to be online”,
as detailed in the Conservative manifesto. This Bill is intended to,
“ensure that our data protection framework is suitable for our new digital age, and cement the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data”.
This aspiration to be the best, to make the UK a world leader and set a precedent for good regulation of our digital worlds, is admirable, but that means that the Bill must set the bar high. It must be the very best it can be, especially as we head towards Brexit, where having the highest standards around the collection and use of data will be vital not just to digital businesses but to our continued ability to trade. This Bill must be the foundation for that. There is much that is good in the Bill, but I do not believe that it is yet the best that it can be.
I must start with a confession. Despite the kind references today to my career and supposed expertise, I found this Bill incredibly hard to read and even harder to understand. I fear that we will not do enough to stop the notion, referred to by the noble Lord, Lord McNally, that we are sleepwalking into a dystopian future if we do not work hard to simplify the Bill and make it accessible to more people, the people to whom I feel sure the Government must want to give power in this updated legislation. Let us ensure that the Bill is a step forward for individual power in the rapidly changing landscape in which we sit, a power that people understand and, importantly, use. Let us make it an indicator to the world that the UK balances the importance of tech start-ups, innovation, foreign investment and big businesses with consumer and citizen rights.
The Government should be commended for getting ahead of movements that are growing all over the world to free our data from the tech giants of our age. As data becomes one of our most valuable resources—as we have heard, the new oil—individuals have begun to want a stake in determining for themselves when, how and to what extent information about them is held and communicated to others. So I welcome the clear data frameworks, which are important not only for the best digital economy but for the best digital society.
I agree with much that has been said today but want to make three specific points on the Bill. First, from any perspective, the GDPR is difficult to comprehend, comprising sweeping regulations with 99 articles and 173 recitals. The Bill contains some wonderful provisions, of which my favourite is:
“Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR … In this Chapter, “the applied Chapter 2” means Chapter 2 of this Part as applied by this Chapter”.
Giving people rights is meaningful only if they know that they have them, what they mean, how to exercise them, what infringement looks like and how to seek redress for it. There are questions about the practical workability of a lot of these rights. For example, on the right to portability, how would the average person know what to do with their ported data? How would they get it? Where would they keep it? There was a funny example in a newspaper recently where a journalist asked Facebook to send them all the data that it had collected over the previous eight years and received a printed copy of 800 pages of data—extremely useful, as I think you will agree. What about your right to erase your social media history? I should declare my interest as a director of Twitter at this point. How can you remove content featuring you that you did not post and in which people may have mentioned you? What happens as the complexity of the algorithm becomes so sophisticated that it is hard to separate out your data? How does the immense amount of machine learning deployed already affect your rights, let alone in the future?
Awareness among the public about the GDPR is very low—the Open Data Institute has done a lot of work on this which is soon to be published. It is very unlikely that ordinary people understand this legislation. They will have no understanding of how their rights affect them. A lot of education work needs to be done.
For businesses, too, the learning curve is steep, especially for foreign investors in European companies. Some are betting that the sheer scope of the GDPR means that the European regulators will struggle to enforce it. When the GDPR came up at a recent industry start-up event, one industry source said that none of the people to whom they had spoken could confidently say that they had a plan. Every online publisher and advertiser should ensure that they do, but none of them is taking steps to prepare.
So much has been done by this Government on building a strong digital economy that it is important to ensure that small and start-up businesses do not feel overwhelmed by the changes. What substantial help could be planned and what education offered? What help is there with compliance? By way of example, under Clause 13, companies have 21 days to show bias from algorithms, but what does this mean for a small AI start-up which may be using anonymised intelligence data to build a new transport or health app? What do they have to think about to make good legal decisions? As my noble friend Lord Jay so brilliantly argued, how can we ensure post-Brexit legislative certainty for them in building global successful businesses?
This brings me to my second question: why has the right of civil groups to take action on behalf of individuals been removed from the UK context for the GDPR? Instead, the Bill places a huge onus on individuals, who may lack the know-how and the ability to fight for their rights. As has been mentioned, article 80(1) of the GDPR allows for representative bodies—for example, consumer groups—to bring complaints at the initiation of data subjects. Article 80(2) allows those groups to bring complaints where they see infringements of data rights without an individual having to bring the case themselves. These give consumers power. It supports their rights without them having to specifically understand that the rights exist, or how to exercise them. Unfortunately, article 80(2) is an optional clause and the UK has omitted it. This omission is worrying, given how stretched the ICO’s resources are and the impact this could have on its support for the public. Granting rights over data to individuals is meaningless if individuals lack the understanding to exercise those rights and there is no infrastructure within civic society to help them exercise those rights. However, we have many organisations in this country—Citizens Advice, Which?—which have these kinds of rights of free-standing action in relation to other regulations. There does not seem to be any good reason why the UK has chosen not to take up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws.
Citizens face complex data trails. It is impossible for the average person to be able to know which organisations hold their personal data. Enabling privacy groups to take independent action will ensure these rights are enforced. As it stands, under the Bill the ICO is currently the main recourse for this.
Resourcing the ICO, Part 5 of the Bill, is essential and my third main area of interest. The ICO has considerable responsibilities and duties under the Bill towards both business and individuals: upholding rights, investigating reactively, informing and educating to improve standards, educating people and consumer groups, and maintaining international relationships. I feel exhausted thinking about it. The ICO’s workload is vast and increasing. It lacks sufficient resources currently. In March 2017, the Information Commissioner asked Parliament if it could recruit 200 more staff but the salaries it offers are significantly below those offered by the private sector for roles requiring extremely high levels of skills and experience. These staff are going to become ever more important and more difficult to recruit in the future.
The ICO currently funds its data protection work by charging fees to data controllers. It receives ring-fenced funding for its freedom of information request work from the Government. This income can increase the number of data controllers only as it increases: it is not in line with the volume or complexity of work, and certainly not with that in the Bill. Perhaps it is time for another method of funding, such as statutory funding.
Finally, I would like briefly to add my thoughts on how the Bill affects children. As many noble Lords have said, the YouGov poll does indeed say that 80% of the public support raising the age to 18—currently it is 13, as detailed by the Government. However, there are many other surveys, particularly one by the Children’s Society, which show that 80% of 13 year-olds currently have a social media account and 80% of people under 13 have lied or twisted their age in order to establish one. This is the realpolitik in the war of understanding the internet with our children. I respectfully disagree with the noble Baroness, Lady Howe, and others in the Chamber: I feel strongly that it is wrong to place policing at the heart of how we deal with relationships between children and the internet. We need to take a systems-based approach. I have seen my godchildren set up fake accounts and whizz around the internet at a speed I find alarming. We have to deal on their terms. We have to help educators, parents and people supporting children, not use the long arm of the law.
There are many anomalies, as has already been detailed, as well as discrepancies with Scotland, differences between parental oversight and explicit giving of consent, problems with data collection and how the digital charter will work, and so on, and those are all important. However, I am optimistic too—I always am—and there is much to welcome in the Bill. I am particularly optimistic if we can work in tandem on the wider digital understanding of our society, as so brilliantly detailed by the noble Baroness, Lady Jay. I wish I could discuss the important themes in the Bill with Ada Lovelace, but in her absence I will have many good discussions with people in this Chamber so that we can all work hard to ensure that citizens and consumers reap the benefits of the Bill.
My Lords, with the leave of the House I shall now repeat a Statement made in the other place by my right honourable friend the Secretary of State for Business, Energy and Industrial Strategy. The Statement is as follows:
“With permission, Mr Speaker, I want to update the House on the trade dispute brought by Boeing against Bombardier. The case has serious implications for the workers at Bombardier Aerostructures & Engineering Services—Short Brothers—in Belfast, where the wings for the C Series aircraft are manufactured. Following a complaint by Boeing Inc, the US Department of Commerce has made two provisional determinations in the case, calculating duties of 220% in relation to alleged subsidies for Bombardier and of nearly 80% in relation to alleged mis-selling by Bombardier into the US market. These initial determinations are bitterly disappointing, but they are only the first step in the process: a final ruling in the investigation is due in February and would be subject to further appeal. This Government have been working tirelessly to bring the case to a satisfactory resolution.
In filing its petition, Boeing asserted three claims: first, that without Canadian and UK Government subsidies Bombardier would have been unable to develop the C Series; secondly, that Bombardier is selling at or below production cost its C Series aircraft in the US; and thirdly, as a result, that this is causing the threat of imminent material injury to the US domestic aerospace industry. This action followed Bombardier securing an order from Delta Airlines for 75 aircraft. The Boeing petition makes allegations about funding support from the Canadian federal Government and the Government of the Province of Quebec for the Bombardier C Series. It also alleges that the UK Government’s provision of £113 million of repayable launch investment funding, committed to Bombardier Short Brothers in 2009 to support the development of the composite wings, contravened trade rules. We strongly and robustly refute this accusation.
I want to make the Government’s position very clear: we consider this action by Boeing to be totally unjustified, unwarranted and incompatible with the conduct we would expect of a company with a long-term business relationship with the United Kingdom. Boeing does not manufacture a competing aircraft, so although Boeing claims harm in respect of the Delta aircraft order, it has no product in the 100 to 125-seat sector. Furthermore, this system of launch investment for the development of new aircraft reflects that of all major commercial aircraft programmes in their early years, including the Boeing 787. We refute entirely any suggestion that our support contravenes international rules.
The Shorts factory in Belfast employs more than 4,200 skilled workers, with almost a quarter of those working on the C Series. It also supports a supply chain of hundreds of companies and many more jobs in the UK, as well as supporting nearly 23,000 workers in the US, where 53% of the content of the C Series is produced by US-based companies. We will continue to work tirelessly to safeguard jobs, innovation and livelihoods in Northern Ireland.
From the outset this has been a dispute that joins Canada and the UK, and we have been assiduous in working closely with the Government of Canada in our response. The Prime Minister has discussed the case with Prime Minister Trudeau, and I have been in regular contact with Canadian Foreign Minister, Chrystia Freeland, to co-ordinate our response and actions. We have had intensive engagement from across government at the highest levels. The Prime Minister has discussed the matter twice with President Trump, stressing the crucial importance of Bombardier’s operations in Belfast and asking the US Government to do all they can to encourage Boeing to drop its complaint. My Cabinet colleagues, my right honourable friends the Foreign Secretary, the Defence Secretary, the Chancellor of the Exchequer, the Trade Secretary and the Northern Ireland Secretary, and myself have reinforced our serious concerns with the US Secretary of Commerce, the US Secretary of State, the US Treasury Secretary, the US Trade Representative and other members of the Administration, as well as with the EU Trade Commissioner. The Minister for Energy and Industry has met Boeing International’s president, and I travelled to Chicago to meet Boeing’s president and chief executive to make clear the impact of this on our future relationship with the company.
I am grateful for the consistent and indefatigable efforts of the honourable Member for Belfast East and the whole community in Northern Ireland, who are united in opposition to this action. We will continue vigorously and robustly to defend UK interests in support of Bombardier, its workforce in Belfast and those in its UK supply chain. We will continue to work jointly and collectively with the Canadian Government. We will work closely with Bombardier, its workforce and its trade unions, and we will do everything we can to bring about a credible, early resolution of this totally unjustified case. The initial determinations are the first step in the process, but we completely understand the worry and uncertainty facing the workforce, which means that the earlier this issue can be resolved, the better. To that end, I expect to have further discussions with Boeing, Bombardier, the Canadian Government and the US Government in the days ahead. The House should be aware that neither the Government nor our counterpart in Canada will rest until this groundless action is ended. I commend this Statement to the House”.
My Lords, I thank the Minister for repeating the Statement made by the Secretary of State in the other place. It sets out the case very well indeed. I am sure the whole House welcomes the Government’s commitment to resolve this trade dispute between Boeing and Bombardier as swiftly as possible.
Indeed, this dispute is of great concern to the 4,200 Bombardier employees in Northern Ireland, their families and the communities in East Belfast, Newtownabbey, Dunmurry and Newtownards. For so many jobs at one of Northern Ireland’s largest employers to be placed at risk is a matter of real concern, as are the wider potential economic impact and, in the case of Northern Ireland, the potential political repercussions. Bombardier represents 8% of Northern Ireland’s GDP and 40% of its manufacturing base and supports 20,000 more jobs in the wider supply chain across the country. There is a great deal at risk. Bombardier acquired the Shorts facility in 1989. The Shorts heritage goes back over 100 years and the Belfast base was established in 1948. It is a centre of excellence and many other leading businesses in the aviation and defence sectors owe their excellent performance and existence to the Shorts—now Bombardier—facility.
The aviation sector is important to our country and it has great potential. We have Airbus facilities, a Boeing facility in Sheffield and the Bombardier facility. Aviation expertise, world-leading engineers and an experienced and seasoned workforce create the potential for this sector to be a real opportunity for us. This dispute and recent news regarding BAE and Monarch do not represent the collapse of the aviation industry but do not bode well for those of us who want to see it thrive in the years ahead. Does the Minister agree that a sector deal, with a particular focus on supply-chain issues and infrastructure requirements, would be helpful in this context?
I want to make it very clear that we on these Benches unreservedly take the view that Bombardier is being challenged on a case that has no merits and that the US Department of Commerce’s initial determinations are flawed and without justifiable foundation. It is clearly specious to suggest that there is harm or potential harm to Boeing in a sector where it does not have a competitor product; nor can there be any doubt that the UK’s vigorous adherence to state aid rules means that any support provided to the Bombardier facility does not contravene trade rules.
We hope that the key actors in this see sense and either withdraw the complaint or abandon the US Government’s flawed process, and that this is resolved as quickly as possible to ensure that any harm is minimised. But hope is not enough and we need to be steadfast in our action. We offer the Government our support and help and we recognise that there has been some considerable effort: 24 interactions with the US Government, including two with the President, as well as 12 with Boeing and 10 with other key actors, including the EU. But we have concerns about the effectiveness of the approach and would like some assessment from the Government of whether they feel that anyone is listening or even that the process itself is fair. We acknowledge the role of Canada, as well as the help of the trade unions, but we would be grateful if the Minister could also tell us how much support, and to what level, the Government are seeking from the European institutions. Have the Government asked the EU to consider taking steps in relation to its trade with the US?
We recognise that Boeing is a very welcome inward investor to the UK and we have a significant and long-standing relationship. We would like it to increase the size, scale and scope of its Sheffield facility, and to see it flourish. But the conduct we have seen from it is not what we would expect of a supplier. We would be grateful if we could understand from the Minister what further interactions we have had with Boeing and when the most recent ones were.
In relation to the US Government, have the Government taken a view on whether or not this process has been used because of the weakness of the merits of the case? It is noticeable that unlike most disputes in the aviation sector, which take place at the WTO, this one is a US government approach. Surely the US Commerce Secretary’s recent comments in support of the action and the determination of the tariffs suggest that this process may have been used for a reason. In discussions with the US Government, have Ministers seen any evidence of US government encouragement of Boeing? Can the Minister tell us, in the case of such disputes, on how many occasions, either by number or percentage, has the final decision overturned a provisional decision? Can the Government suggest what their plan would be if the final decision confirmed the provisional declaration? What would be the strategy in the United States? Have the Government sought the advice of expert US trade lawyers or advisers?
Does the Minister agree with me that actually, the fundamental problem here is one of market structure? Boeing has such a large market share that it prices on the basis of monopolistic control, actively supported by eye-watering subsidies from the US Government— a rather familiar tale of locking everyone out to favour the dominant incumbent. This country has benefited from a more open market, with Airbus, Boeing and Bombardier having meaningful facilities here, and this US-led action demonstrates not only its determination in defending its interests but how quickly it can sometimes apply protectionism. It raises questions about its commitment to a new, fair and reasonable trade deal. Finally, can the Minister confirm that this point has been forcefully made to the US Government during the discussions?
My Lords, I draw your Lordships’ attention to my declared interests. I thank the Minister for repeating the comprehensive Statement, which I think has support right across the House. There is a danger that this is a bellwether moment for Bombardier, Northern Ireland’s industry and, perhaps, Britain’s future trading relationships. It is an important example and possibly a glimpse of what life outside the European Union might look like.
As the Statement rightly says, this unilateral and disproportionate response by the US Department of Commerce is over a variety of plane that Boeing itself does not manufacture. Does the Minister agree that this is perhaps a more symbolic gesture, with an eye on other manufacturers in other places—a warning shot, perhaps—with Bombardier as the innocent victim of a larger global power play in plane manufacturing? It also demonstrates in style how the US is going to administer multilateral organisations. It sets out in stark contrast what life could be like after Brexit as we adopt WTO rules, just as the Trump Administration step up their attack on that institution, not least through the vetoing of appointments to the WTO’s appellate body, denying it the ability to deal with such trade disputes.
Canada has long demonstrated through its actions that it views Bombardier as a strategic Canadian resource. In Northern Ireland, as the noble Lord, Lord Mendelsohn, stated, it has a very important economic as well as symbolic position within the community. I will not repeat what he has just said, except to reaffirm that its loss would be a savage blow to the drive for economic development that is absolutely essential to support the Good Friday agreement and everything that has gone before. But it is also strategic to the UK aerospace industry. We have to remember that wings are a very important part of what we do in this country, and that is what Bombardier does, so there is a very strong need to defend that technology as well.
Of course, the US action is at an early stage. In due course, as it progresses through the courts and winds its way towards the WTO, I dare say—largely because it has no merit—that Bombardier may have success in overturning the ruling. But these things take years—years and years. What kind of shape would this business be in after going through this process? No company Bombardier’s size could withstand a process of that length. Can the Minister tell us the status of the Delta sales? Are they on hold or do they go ahead as normal until the appeals process is complete? The Minister set out the co-operation that is coming from Canada but we should remember that the parent company is Canadian and if it starts to seek to preserve the overall concern, where will it cut first—in Canada or in Northern Ireland? It is very important that the Government seek assurances from Bombardier that it will continue to support the Belfast operation.
Finally on this point, we can expect the Chinese to heat up their bid for Bombardier. What line do Her Majesty’s Government have into that process? What advance warning are they likely to get in the event that a bid from the Chinese or someone else comes along?
I welcome the seriousness with which the Government are taking this; it is imperative that that seriousness continue. I am sure the Government will take the time to explain to Boeing the caustic effect it is having on what has been a burgeoning relationship in this country. I am sure the Government are reminding it about the Apache and Chinook helicopters and Poseidon aircraft that are currently on order from the MoD. Will the Minister say what contingency plans are being put in place to ring-fence the skills we have in Belfast in the event that they start to leech out? We are glad to hear that the Minister is working tirelessly, but what exactly is he now doing? We have heard that he talked to a wide variety of opposite partners in Canada and the US, but what levers does he have to pull? Can the Minister assure us that while we are cosying up, trying to negotiate a trade deal with the US, we will not ease back or soften our approach to the defence of Bombardier? The Minister has a long list of people he has talked to, so far to no effect. What is the next step?
I thank the noble Lords, Lord Mendelsohn and Lord Fox, for their contributions and for their general support for the Government’s approach in what I think the House will acknowledge is a challenging situation.
The noble Lord, Lord Mendelsohn, emphasised the importance of the operation in Northern Ireland, particularly the Bombardier—formerly Shorts—factory. It is important for Northern Ireland. I think I mentioned that 1,000 or so jobs out of a total of 4,000 are particularly focused on making the wings for the C Series. The noble Lord made a valuable point about the importance of the supply chain. It is not just the 1,000 workers in the aircraft factory itself. It goes well beyond that. We are well aware of that and are focusing on all the jobs that could be affected down the line if the issue went further.
I want to give a little more information about what the Government are doing. The noble Lord, Lord Mendelsohn, mentioned a few figures. Greg Clark and the Minister for Aerospace, Richard Harrington, have been tireless in contacting a number of people across government, particularly in the US. There have been 24 calls or meetings with US administrators, Members of Congress and other US politicians, 15 calls or meetings with Bombardier in the UK and Canada and 12 calls or meetings with Boeing—that answers one of the questions asked by the noble Lord, Lord Mendelsohn. Keeping a line in with Boeing and keeping pressure up to ask it to overturn its decision is very important. There have also been 20 calls or meetings with the Canadian Government or officials.
The noble Lord asked about the EU. I think I mentioned in the Statement that in addition to the EU Commissioner, who is being kept fully involved, other levels within the EU are also being kept involved within the same area. I think that is a good approach.
The noble Lord, Lord Mendelsohn, asked what might happen with the final decision. We want this decision to be withdrawn by Boeing. That is what we expect. It is unjustified, and I think I have made it quite clear that we are going to work very hard to ensure that that happens. The final decision will be undertaken in February, if it gets that far, and then it is subject to appeal, so there is a process to be undergone, and I should say again that the unfortunate, disappointing decision that has just been made is the first step of the process. We will continue to press Boeing. The amount of meetings that have been had up to date will continue.
The noble Lord, Lord Fox, spoke about plane manufacturing. As he will know from his role, aerospace manufacturing in the UK is incredibly important. Boeing’s strategy is most disappointing. We should point out that Boeing has a considerable interest in the UK, and we want to be sure that the long-term relationships and partnerships we have with Boeing continue. No doubt they will, with what we are currently working on, but its action does not help with potential future deals. We want that to work out.
We see this as a specific issue between the US, Canada and the UK Government, not broader than that, so I do not think there is any mileage in extending it to the EU, which the noble Lord, Lord Fox, mentioned.
I do not want to comment on Delta’s thinking; that is for Delta to comment on. I can only assume that it will continue to commit to its order for the CS100. I understand that they are due to be delivered in the spring of 2018, and as far as I know, that will continue. We will do all we can to support Bombardier and all the workers in Northern Ireland—a point raised by the noble Lord, Lord Fox. Every effort will be made, and we have some very strong lines in to those running the factory and those on the trade union side. I pay tribute to those in Northern Ireland, particularly the Northern Ireland politicians, who are working assiduously with us and with others involved in Northern Ireland.
My Lords, I welcome the robust position in the Minister’s Statement. I particularly welcome the fact that this position has been endorsed by all sides of the House. I have a personal interest in this because I went to Seattle and met the board of Boeing when they worked very closely with Shorts, so they have no excuse for saying they do not know much about the situation in Northern Ireland. There is a long history of collaboration. In my time as Secretary of State, I also arranged the sale of Shorts to Bombardier, and I am very proud indeed of the success it has been over the years, the employment it has given and the importance it has for the Northern Ireland economy.
I take very well the point made by the noble Lord, Lord Fox, that this could drag on for a long time and be extremely damaging. We are told that President Trump is very keen on US jobs. I was interested to hear in the Statement that there are 23,000 US jobs involved in the Bombardier aeroplane, if the Statement is correct, so there is that defence, as presumably those people could lose their jobs.
I think that at last Boeing is beginning to realise the damage this is doing to its reputation. Anybody who looks at today’s Evening Standard will find a four-page wrap-round paid for by Boeing about its importance to the UK and what it is doing. I think the PR advisers in Boeing have just woken up to the damage that this is doing to Boeing. The earlier that Boeing can use its influence on the various authorities—it has some influence there—the better. Boeing did not quote for this plane. No US jobs are put at risk by Delta buying these planes. There is no evidence that they could come from an alternative American supplier, as far as I am aware. Against that background, I strongly hope that we can put this behind us. Boeing is a wonderful company. It does a lot of good work, and it has made a very silly move on this occasion, and the sooner it withdraws it, the better.
I tend to agree with my noble friend. It is interesting to hear about his direct involvement in Shorts going back a number of years. He is right that it is perhaps rather ironic that there are so many jobs—23,000 is the correct figure—in the US. I would argue that Boeing taking this view is an own goal.
However, Boeing remains very important to us in the UK. Its contribution to the UK is considerable. There are 2,200 people directly employed by Boeing, and that figure is expected to rise to 4,000 by 2025. The annual supply chain spend is £2.1 billion and the annual UK R&D spend is £11 million per annum. The House may know that Boeing has a new civil aerospace manufacturing facility in Sheffield. It is Boeing’s first civil factory in Europe. There is also a hangar in Gatwick and a repair facility in Lossiemouth. It is important for us to continue to develop the long-term partnership with Boeing, and as I said earlier, its action, which is inexplicable, must be overturned. I hope, as my noble friend said, that Boeing will see sense and withdraw its petition.
My Lords, so far in this matter the Government do not seem to have had much or indeed any influence with Boeing, despite the billions of pounds that we spend every year from our defence procurement budget on its excellent products. The Prime Minister does not seem to have had much or indeed any influence with President Trump, and the government proposal for her to go to Beijing does not seem to be much of a priority for Xi Jinping. The Government’s main priority at the moment seems to be to split up with the European Union, turning 27 countries that have traditionally been friends and partners of ours into opposite numbers in an increasingly divisive negotiation. The whole picture is not a very encouraging one, is it, from the point of view of British influence in the world?
I completely disagree with the noble Lord. He is not right to put it in this way. I have made it clear that the Prime Minister has been in touch twice with President Trump and have highlighted all the calls and meetings so far. Her Majesty’s Government are working tirelessly, and will continue to do so, in conjunction with counterparts in the Canadian Government, to encourage Boeing to withdraw its complaint and to seek a negotiated settlement with Bombardier. The Prime Minister, as I mentioned earlier, has been discussing the issue constantly with Prime Minister Trudeau, and Greg Clark has also had a number of conversations with Canada’s Minister for Foreign Affairs, Chrystia Freeland. An enormous amount is going on, and I refute what the noble Lord is saying about alleged inaction from our side.
My Lords, I welcome the Statement by the Minister concerning the future of Bombardier in Northern Ireland. Indeed, the robust efforts being made by the Government on its behalf should be commended. The company is the biggest private sector manufacturing employer in Northern Ireland, and we have heard that 4,000 jobs, directly and indirectly, depend on the parent factory in Belfast. This is an important matter and it is a worrying time for the employees in Northern Ireland. The United States Government have recently imposed a further import tax of 80%, and negotiations do not appear to be proceeding in a spirit of compromise. Given these circumstances, would the Minister agree that it might be appropriate for the Government to adopt the position taken by the Canadian Government, who have stated that they will not do business with Boeing unless the matter is satisfactorily resolved?
I thank the noble Lord for his input. I understand his point of view, but we do not see that as being the way forward. I should say again that the interim statement we heard is bitterly disappointing but it is only the first step. We will continue to strongly defend UK interests in support of Bombardier at the very highest level, because, as the noble Lord has said, the adverse outcome risks jobs and livelihoods among the 4,000 or so skilled workers in Belfast. I can only say that we will continue urgently to work hard at resolving this important matter.
My Lords, I wholeheartedly support the attitude of the Government, as I think does every noble Lord who has contributed to this short debate, but will the Government take into account three important elements? First, Boeing enjoys very considerable influence both on Capitol Hill and in the White House. Secondly, traditionally, consecutive United States Governments have been assiduous in their defence of the American aerospace industry. Thirdly, even if the United States Government were well disposed to a trade deal, might the action of Boeing not be illustrative of the attitude of American industry towards such a deal, if Brexit ever takes place?
On the noble Lord’s third point, I do not agree with what he said to the extent that, as I said earlier, I see this as being a challenging issue between the US, Canadian and UK Governments that is specific to the Boeing/Bombardier matter. It is right to ring-fence that and to look at it and work on it as assiduously as we are. We will continue to do that. I would not want to comment on the influence of Boeing on Capitol Hill. I suspect that it is quite strong over there; equally, we know that and we will continue to work very hard on contacting US congressmen to work through and convince them to convince Boeing to withdraw its petition.
My Lords, I also welcome the Minister’s Statement, in which he outlined the extent of the contact that had taken place between the UK and Canadian Governments. It cannot be stated too often that this company is absolutely essential to the Northern Ireland economy and that the threat to Bombardier could have simply devastating consequences for this part of the United Kingdom. It is essential that concerted efforts continue to be made to ensure that Bombardier’s future in Belfast building wings for the C Series aircraft is secured. I trust that the Boeing directors will note the Minister’s words when he stated that,
“we consider this action by Boeing to be totally unjustified, unwarranted and incompatible with the conduct we would expect of a company with a long-term business relationship with the United Kingdom”.
The Government have the complete support of the Ulster Unionist Party in these endeavours to resolve this dispute.
I thank the noble Lord for his unconditional support for our approach. He is absolutely right that the Bombardier factory and all the attached supply-chain jobs are very important to Northern Ireland. I hope I have been able to make that clear to the House; others have said the same. For example, the £530 million put into the C Series facility in Belfast represented Northern Ireland’s largest ever inward investment, and this must be protected. The C Series is a fantastic plane from what I have understood in the last few hours, and a great product. We must protect the jobs and ensure that the factory and Bombardier continue there. As an aside, I would say that Bombardier is of course very active in Derby. It is obviously a different sector, but it is making carriages for the East Anglian franchise, and I think that it has won a contract with South West Trains. It will be constructing trains for Crossrail, I hope, and there is HS2. That side is also important, although I realise we are talking about Northern Ireland in this Statement.
My Lords, I draw your Lordships’ attention to my entry in the register of interests as leader of Wiltshire Council. Could the Minister confirm the Government’s continued support for the important project between Boeing and QinetiQ at Boscombe Down in Wiltshire?
I will have to write to my noble friend about that specific point, as it is not in my brief. I will certainly write and give her a full briefing on that.
My Lords, I very much welcome the Government’s strong approach, but it is very optimistic to say that this is a ring-fenced issue. If the Government are speaking to the United States Administration, will they also raise the matter of the American challenge to tariff-rate quotas and the breaking-up of the agreement that has been made between the UK and Europe over tariff-rate quotas on agricultural agreements? This too could be very detrimental to this country in our Brexit negotiations, but is something that the United States Government have taken to the WTO quite aggressively.
We are talking here about the aerospace sector, but as the noble Lord has broadened this debate, I will say more generally that of course what we are looking for is a tariff-free global trading area. There is no sense in having tariffs put on, because a market is thereby skewed, so we are looking in the future to have a tariff-free approach. Coming back to Boeing, I hope that we can persuade it to withdraw. The US needs to understand too that a tariff-free approach to trade is the way forward.
My Lords, I thank the Minister for repeating the Statement to the House this afternoon. I thank the Government, Her Majesty’s Opposition and the Liberal Democrats for their support for Bombardier—all-party support in our national Parliament. More interestingly, in Northern Ireland not only have the unionist parties supported Bombardier but Sinn Fein has done so as well. As one who negotiated the Belfast agreement, I am concerned that if thousands of people lose their jobs at Bombardier, that will have an unsettling impact on the ground in Northern Ireland. That should be taken into account.
I noticed that the Foreign Minister for the Republic of Ireland raised the issue of Bombardier when he was in the US last week. Have we had any feedback from the southern Irish Government as to what he achieved or what was said? Has it been encouraging or discouraging, or does it not exist at all? Since we are still in the EU for another few years, and since it controls all trading matters, I ask: has the EU really spoken out for Bombardier in Belfast?
It is good that the noble Lord has reiterated the fact that there is all-party support. I take his point. It is interesting, bearing in mind the political challenges in Northern Ireland, that unionists and Sinn Fein are also behind our efforts to find a resolution to this problem. He is right, as I said before, that the impact on the ground if Boeing were not to withdraw its petition would be profound indeed, but I say again that we are at the first stage of this difficult process and we will work as hard as possible to ensure that it is overturned. Again, we say it is unjustified and we do not think it is right, and we will continue to work at all levels to resolve it. On the noble Lord’s point about feedback from the southern Irish Government, there is nothing specific to mention. We continue our engagement with the southern Irish Government but there is nothing to give feedback on.
Data Protection Bill [HL]
Second Reading (Continued)
My Lords, I am particularly interested in how the Bill enhances the lives of young people and how in Committee we could add to the opportunities that the Bill provides. The word “protection” is immensely important in this digital age, and young people probably need more protection than at any other time in our recent history. They should have control over their own data.
Like your Lordships, I have been sent a large number of briefings on the Data Protection Bill. I was particularly taken with the joint briefing from the Children’s Society and YoungMinds. As we have heard from the noble Baroness, Lady Lane-Fox, they found that almost three in four children and young people have a social media account before the age of 13. The same survey also revealed that four in 10 young people had experienced online bullying. For young people affected by this form of bullying, the right to have contact removed will be very welcome. I have seen first-hand how young people’s lives can be seriously harmed, and I welcome having a longer debate on this issue in Committee.
I was very taken with the noble Baroness’s comments, although they did not quite match my personal experience. As a head teacher of a large 600-place primary school, I would find children who had been seriously bullied and were in meltdown. When we saw the children and talked to their parents, it turned out that the bullying came from social media. This raises the question: how did children as young as eight years old get signed up to Facebook? By their brothers and sisters. Why did their parents not know about this? This is a very serious problem. I do not know if it is about the long arm of the police, which the noble Baroness, Lady Lane-Fox, suggested was not the way, whether it is about young children knowing their rights, or, as I suspect, whether it is a bit of both, including parental education as well.
In the 1960s a baby named Graham Gaskin was put into care by Liverpool local authority after his mother, a local beauty queen, committed suicide by jumping into the River Mersey. Graham was passed from one institution to another; he was sent to over 20 institutions, including 14 different foster homes, over an 18-year period. He claimed that he suffered neglect, mismanagement and sexual abuse. He tried to understand what had happened to him, the family circumstances and the family connections—his back story, if you like. He was prevented from seeing his social services file but managed somehow to purloin it. In those confidential papers he found out about the secrets of his shocking life in care.
Three remarkable people stand out in the Graham Gaskin story: the local solicitor, Mr Rex Makin, who represented Graham and fought to get justice for him; a local journalist, Mr Ian Craig, who spent months checking and cross-checking the details and wrote a series of devastating articles about what had happened to Graham in the Liverpool Echo; and the chair of the social services committee, Mr Paul Clark, who struggled against the legal system to allow his officers to open up the file and had a fiat, which I am told is a type of injunction, issued against him, preventing him releasing those files. In November 1981, the noble Lord, Lord Alton, then my honourable friend and MP for the Edge Hill constituency in Liverpool, spoke in the Commons about the Graham Gaskin case. He said:
“Graham Gaskin is just another name still locked away in a filing cabinet … I hope that encouragement will be given to local authorities to humanise their services so that the tragedy of Graham Gaskin’s lost youth will never happen again”.—[Official Report, Commons, 6/11/81; col. 284.]
Had the files of Graham Gaskin and thousands of other children been allowed to have been opened, they would have revealed a scandal as shocking as the revelations that have come to light about some of our residential homes and might have prevented the abuse of children that was so prevalent at the time.
We have come a long way since those days, and of course the law allows access to files under the Data Protection Act 1998. Since the noble Lord, Lord Alton, made his comments about humanising social services, we have done that very thing. However, opening the files and making them accessible to young people is very different from the sort of legal problems that, for example, solicitors often face. It is of fundamental importance that everyone has the right to their personal data, and the legislation does not restrict or inhibit that right, but I shall talk about it from a practitioner’s point of view. This issue is beyond my comprehension but I have spent several moments talking to solicitors about it, so the language that I use is not of my immediate understanding but it gives some flavour of how we should have not only the spirit of making these files available but the practicalities as well.
If someone makes a request for data a year after making a previous request, and in the intervening period there has been further activity about the requester by the data controller, it will be argued that the substance of previous requests is being repeated. Is not the substance of any request to obtain the relevant data then held by the data controller? It will be argued that if someone has made a previous request, they will not be able to make a subsequent one. I think I understand that and I hope noble Lords do too.
Terminology needs to be clearly defined, not left open to later judicial interpretation. For example, if a right is to be denied on the basis that complying with it would involve disproportionate effort, there needs to be a definition of “proportionate”. More effort is needed for supplying data to someone who has had a lot of dealings with a data controller, especially government departments and numerous agencies because such are regarded as one data controller. We need to ensure that each separate agency has its own data controller. Will it be argued in the courts that it is manifestly unfounded or excessive for someone with a lot of personal data about them to request it? The current law requires all data controllers, with some minor exceptions, to register with the ICO. If they do not, they are acting unlawfully by processing personal data, and the provisions of the criminal law apply.
When the Bill which became the Data Protection Act 1998 was introduced to Parliament, the drafting instructions to parliamentary counsel were as follows: “We regard it as essential that there be a clear sanction for failure to make a mandatory notification. The obligation to notify is itself a cornerstone of the notification regime, and we wish to place a distinct onus on controllers to take responsibility for ascertaining and discharging their obligations in this respect”. Huge numbers have not done so, with a massive loss to the public purse. The law will not be strengthened by removing the cornerstone of the current law.
The Bill is long and detailed, and the devil, as always, is in the detail. The detail needs most careful scrutiny to ensure that the fundamental rights of the citizen are paramount, not those of officialdom. In any balance concerning the rights of the individual, there should be a presumption that those acting in any official capacity should have the official records disclosed. The balancing exercise introduced in the 1998 Act following the Graham Gaskin case, effectively replicated in the Bill, has not worked in practice, and Parliament can and should give further guidance. I look forward to finding out how we may improve some of these detailed issues for people who find themselves in the same situation as the Graham Gaskins of the 1980s.
My Lords, it is a great privilege to follow the noble Lord, with all his experience of providing care and support for children and families. It was very troubling to hear of the case of Graham Gaskin.
I hesitate to speak. I do so because I am very interested in child development and issues of age of consent within the development of children. For instance, I very much oppose the lowering of the age of franchise to 16, which many have argued for, because my understanding and experience is that adolescence is hugely challenging and we should not put additional burdens on young people. Reading a survey in which 81% of adults thought that the age of consent for sharing personal information should be at 16 or 18, with the majority of parents thinking that the age should be 18, I was very concerned and wanted to take part in this debate and learn more.
I was recalling our history with access to the internet and pornography. My recollection was that we did not think about those things from the perspective of children and young people. Thanks to the noble efforts of my noble friend Lady Howe, we are now getting on top of that issue, but a report yesterday pointed to a marked rise in sexual assaults by children on children in the past year. Of course it is speculative to say so, but I would not be at all surprised if access by children to the internet has helped to fuel that rise.
We really need to give these issues deep and considered thought and, looking at the briefings, my sense is that it has not been given to the age of consent. It seems to be the default position because that is what Facebook and the other big companies offer. Even the European Union directive did not seem to involve a deep consultation among parents, children—ensuring that children’s voices could be heard—and experts to determine that the age should be between 13 and 16. I join my noble friend Lady Howe’s request for an urgent consultation by the Government with parents, children—in an effective way—and experts on this issue.
I will try to think through what might be the implications. Please forgive my naiveté, but this might be an opportunity for people to market products to 13 year-olds. My experience and research suggests that where children come from family backgrounds of breakdown or depression, that is reflected in the child’s relationships with other children in school. They can find it difficult to relate to others and become isolated. What do they turn to in those circumstances? The research points to the fact that they will be the children with the most expensive articles of clothes. The most expensive trainers will belong to the children who find it most difficult to make relationships with other children. I suppose that we see the same thing in the adult world: often those who are least sociable spend more money on articles of clothing to compensate for that. One concern might be that marketeers will be particularly effective at reaching out to more vulnerable children and encouraging them to pester their parents to buy more products. There will be more pressure on households to go into debt. In our debate on another Bill at the moment, we are seeing that far too many households are experiencing debt. Perhaps that is not a likely eventuality, but it needs to be explored.
Another eventuality might be political lobbying groups seeking to develop a youth wing to reach out to 13, 14 and 15 year-olds and disseminate information to prepare them to join the party later on. All around the world we see hateful political groups gaining ascendance. That is another risk that we need to take into account: how vulnerable are our young people to such groups?
I should be most grateful if the Minister would make clear what is a child in the Bill. Will he ensure that the Bill is clear that anyone under the age of 18 is a child? On the age of consent, what about children with developmental delays or special educational needs? Obviously, chronological age may not be appropriate, so how does one deal with those children? Finally on verification, how do we know that a child who says he is 13 is really 13 and not several years younger?
I share the concern voiced by many Peers about the age of consent. I was to some extent reassured by my noble friend Lady Lane-Fox but, given the history and concern about access to pornography and the lack of consideration for the impact on children and young people, it is our duty to give the Bill the thorough consideration that it needs. I look forward to the Minister’s response.
My Lords, it is a privilege to follow the noble Earl, who has brought so much wisdom and passion to the issue of child protection, which is rapidly becoming the leitmotiv of this debate—and rightly so. My comments will be about something slightly different: the impact of the Bill on journalism and the right to freedom of expression. I declare my interest accordingly as executive director of the Telegraph Media Group and draw attention to my other media interests in the register.
I first had the dubious pleasure of becoming involved in the issue of data protection more than 20 years ago, when the EU data protection directive was introduced in 1996. During the passage of the Data Protection Bill which implemented it, my noble friend Lord Wakeham, then chairman of the Press Complaints Commission, set out in his customary cogent fashion why that directive was potentially so grave for press and media freedom. He identified two key issues with the directive, and it is worth repeating what he had to say, because those issues are, if anything, more relevant today than they were then:
“The first is that the directive’s definition of ‘personal data’ is extremely wide, covering virtually any information relating to an individual, including details of political opinion, trade union membership, racial or ethnic origin and philosophical beliefs. The second is that the definition of processing specifically includes, for the first time, the use of material for journalistic purposes; and in turn journalism, of course, relies on the use of all the information covered by the directive. The very real danger in the combination”,
of the two is that it,
“could be used to introduce a regime that would gravely damage the freedom of the press, undermine investigative journalism”.—[Official Report, 2/2/1998; col. 462.]
What became the Data Protection Act 1998 avoided such a dismal fate, and indeed through Section 32 struck an appropriate, clever and enduring balance at the time between the right to privacy and the right to freedom of expression. That was in so many ways down to the guiding hand of Lord Williams of Mostyn, who is still much missed in this House. He went out of his way to consult the industry and respond to its concerns. I remember with affection many meetings with him, not least as he was able to make the issue of data protection amusing, which is no small feat. To pick up on the comments of the noble Baroness, Lady Lane-Fox, I do not know whether he would have been able to make it comprehensible—that may have been a challenge too far. But at the end of the day, he succeeded in ensuring that the legislation balanced the right to privacy with the right to free expression, which he treasured so much. We have heard a bit about that in today’s debate.
This Government have been equally as determined as Gareth Williams was to ensure that freedom of expression is protected and have consulted widely all the interested parties. I am particularly grateful to the DCMS Ministers Karen Bradley and Matt Hancock for their understanding and patience in this area of protection not just for journalism but for literary, artistic and academic activities. Great credit is due to all those who were involved in the long and often deeply tortuous negotiations over the general data protection regulation, who ensured that it makes absolutely clear that member states must provide for exemptions and derogations carried out not only for journalistic purposes, but for the purposes of academic, artistic and literary expression as well. Recital 153 of the GDPR is particularly welcome and important as it explicitly recognises how protections for freedom of expression,
“should apply in particular to the processing of personal data in the audiovisual field and in news archives and press libraries”,
and ought to be reflected in the Bill.
The Government have gone to considerable lengths to consult widely on the UK’s implementation of the exemptions and derogations in the directive and have clearly stated, as I am sure the Minister will reiterate again today, that:
“Processing of personal data by journalists for freedom of expression and to expose wrongdoing is to be safeguarded”.
That is what Part 5 of Schedule 2, relating to the exemptions for freedom of expression and information, alongside other clauses in the Bill, seeks to do.
Such protections are vital for us as citizens, who depend on a free press to hold those in positions of power to account. As importantly, particularly in a post-Brexit world—and we have heard a lot about that world today—proper implementation of the exemptions is essential to the continuation of the UK’s shining role as a world leader in the creative, cultural and communications sphere. For all those reasons, it is imperative that the existing protections in the 1998 Act are not just maintained in this legislation but enhanced, and applied consistently throughout the Bill.
I specifically use the word “enhanced” because, through no fault of the existing legislation, which was extremely well crafted, the defences inherent in Section 32 of the 1998 Act have begun to erode. That is mainly an unintended consequence of the Defamation Act 2013, with the passage of which many noble Lords here today were involved. That legislation, so carefully scrutinised in this House, has done much to stop trivial and vexatious libel claims in the courts, but regrettably some people, who are now no longer able to bring libel proceedings, have begun to stretch the boundaries of other laws to do so. Data protection is fast becoming an alternative remedy for those who wish to blunt investigative journalism or seek to launder a justly bad reputation by removing articles from the online record. That is something that we have heard a bit about today.
One issue that we should consider is whether the carefully sculpted defences set out in the Defamation Act 2013 could somehow be replicated in this legislation and applied to data protection claims. It also cannot be right for the Information Commissioner to have the power, set out in Clause 165, to fund legal claims against those pursuing literary, artistic, academic and journalistic activities; that power runs counter to the aims of the Defamation Act. No other sector of activity is singled out in that way, and there is no case for it.
Inevitably as the Bill is scrutinised, much of the devil will be in the detail, as the noble Lord, Lord Storey, said. A number of specific issues—many of them, I suspect, inadvertent or unintended—ought to be addressed if the Bill is not to have a restrictive and damaging impact on freedom of expression, and particularly on the media’s operations, all the way from the initial investigation of a story to the eventual archiving of material. For example, we need to ensure that the investigation and enforcement powers of the Information Commissioner, particularly in the area of pre-publication activities, are not extended, and that the existing checks and balances, which have worked extraordinarily well in the current regime, are rigorously maintained in this legislation, not reduced. If not, there is a danger that the commissioner could become some form of statutory press regulator, which is not what I believe the Government intend, and which most of us would believe to be abhorrent in a free society. Similarly, there needs to be explicit protection for academic, literary and media archives, including a transparent and effective regime for the assessment of “right to be forgotten” requests relating to internet search records. Those records are not just the “first draft of history”; they often now comprise the only record of significant events, which will be essential to historians and others in future, and they must be protected.
We also need to remember that, far more so even than was the case back in 1996, the media today, as with all artistic activities, are completely global. All those processing data for special purposes need to be able to receive and share certain personal data rights across the world. That is particularly true in relation to the protection of sources, and contact or email exchanges with them. We should never forget in this House that in some parts of the world, even partial release of sensitive information can have the most appalling repercussions, putting the lives of sources and reporters in grave, often mortal, danger. The protections and exemptions in this area need to be put in place and be absolutely watertight. Quite apart from the personal risks involved, investigative journalism such as that on the Panama papers could become quite impossible if we did not get this balance right.
I am conscious that I have been talking specifically about Article 10 rights on freedom of expression, but I absolutely understand that those have carefully to be balanced with other rights. My noble friend the Minister in his opening remarks made that point extremely well. It is important to underline that none of the points that I have raised here would in any way undermine an individual’s right to privacy, safeguarded by Article 8 of the convention. These limited changes would continue fully to protect that right, while providing much greater clarity and certainty for those processing data for the special purposes. Therein lies the effective balance which characterised the 1998 Act and which should, I believe, be the guiding principle and hallmark of what will inevitably become the Data Protection Act 2018.
I spoke earlier about the Government’s commitment to consultation on the detail of this Bill, and the constructive and open way in which they have worked with all those impacted in this area. I very much hope that the Minister will continue to undertake such work with all those who have an interest in this vital issue and that we can, during the passage of the Bill, make further amendments to protect what at the end of the day is the foundation stone of our democracy.
My Lords, I, too, thank the Minister for his careful introduction of the Bill, and the organisations and individuals who have briefed us, including the individual who wrote, “It does your head in”. I was glad to hear the assurance that the Bill may—I hope I have this right—with repeated readings come close to comprehension.
At later stages, I hope to focus on Parts 3 and 4 of the Bill, but this evening I make some points about young people and the age of consent. I have to say—I may be out of step with other noble Lords—that I am not entirely convinced that the age of 16 would provide more effective protection than 13. I was struck by the recent launch of a report by the Children’s Commissioner for England. The report contains a jargon-busting guide,
“to give kids more power in digital world”.
The commissioner’s launch paper remarked:
“For children, there is no difference between online and offline life. To them, it’s just life … You wouldn’t drop a 12-year-old in the middle of a big city and expect them to fend for themselves. The same should be true online”.
The jargon-busting guide is intended to help children and teachers negotiate and understand what they are signing up to when they use Facebook, Instagram, YouTube, Snapchat, WhatsApp and so on. It uses simplified terms and conditions—it is acknowledged that it is not a legal document but is designed to be an accessible and child-friendly tool to help children understand their digital rights and make informed choices.
Noble Lords will have received a briefing from the Carnegie UK Trust on digital skills. Among other things, it reminds us that so many young people— I think actually that should be “so many people”—are unaware that “delete” does not actually mean “delete”.
I do not think that achieving the age of 14, 15 or 16 would address this. The route of information and education is much more important than a diktat in legislation. I suspect that we could be in danger of being unrealistic about what life is like for children and young people these days. We should not ignore public opinion but, quite honestly, times have changed. We will debate both the age threshold and age verification, which is clearly inseparable from this, during the course of the Bill.
Like other noble Lords, I am concerned about public trust and confidence in the system. At the moment there is a need for guidance on preparation for the new regime. I visited a charity last week and asked about the availability and accessibility of advice. The immediate, almost knee-jerk response was, “It’s pretty dire”—followed by comments that most of what is available is about fundraising and that there is a particular lack of advice on how to deal with data relating to children. The comment was made, too, that the legislation is tougher on charities than on the private sector. I have not pinned down whether that is the case, but I do not disbelieve it. The Federation of Small Businesses has made similar points about support for small businesses.
On confidence and trust, my view is that the use of algorithms undermines confidence. This is not an algorithm but perhaps an analogy: we have been made aware recently—“reminded” would be a better term—of the requirement on banks to check the immigration status of account holders. I took part recently in a panel discussion on immigration. The participants’ names were Gambaccini, Siddiq, Qureshi and Hamwee. With those names, although we are all British citizens, I should think that we are pretty suspect. Algorithms will be used by the policing and intelligence communities, among others. My specific question is: have the Government considered independent oversight of this?
My confidence in the system is also not helped by the fact that the data protection principles applied to law enforcement do not include transparency. I am prepared to be told that this is because of the detail of the GDPR, but I find it difficult to understand why there is not transparency subject to some qualifications, given that transparency is within the principles applying in the case of the intelligence services.
“User notification” is another way of talking about transparency and is a significant human rights issue in the context of the right not only to privacy but to effective remedy and a fair trial. I am sure that we will question some of the exemptions and seek more specificity during the course of the Bill.
We are of course accustomed to greater restrictions—or “protections”, depending on your point of view—where national security is concerned, but that does not mean that no information can be released, even if it is broad brush. I wonder whether there is a role for the Intelligence and Security Committee here—not that I would suggest that that would be a complete answer. Again, this is something we might want to explore.
Part of our job is to ensure that the Bill is as clear as possible. I was interested that the report of the committee of the noble Lord, Lord Jay, referred to “white space” and language. It quoted the Information Commissioner, who noted trigger terms such as “high-risk”, “large scale” and “systematic”. Her evidence was that until the new European Data Protection Board and the courts start interpreting the terms,
“it is not clear what the GDPR will look like in practice”.
I found that some of the language of the Bill raised questions in my mind. For instance—I am not asking for a response now; we can do this by way of an amendment later—the term “legitimate” is used in a couple of clauses. Is that wider than “legal”? What is the difference between “necessary” and “strictly necessary”? I do not think that I have ever come across “strictly necessary” in legislation. There are also judgment calls implicit in many of the provisions, including the “appropriate” level of security and processing that is “unwarranted”. By the by, I am intrigued by the airtime given to exams—and by the use of the term “exams”. Back in the day there would certainly have been an amendment to change it to “examinations”; I am not going to table that one.
Finally, I return to the committee report, which has not had as much attention as the Bill. That is a shame, but I am sure we will come back to it as source material. I noted the observation that, post Brexit, there is a risk that, in the Information Commissioner’s words, the UK could find itself,
“outside, pressing our faces on the glass … without influence”,
and yet having,
“adopted fulsomely the GDPR”.
That image could be applied more widely.
Do the Government accept the committee’s recommendation in paragraph 166 that they should start to address retaining UK influence by,
“seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board”?
My noble friend Lord McNally referred to running up the down escalator, and his alternatives to the Henry VIII clauses are well worth considering—I hope that that does not sound patronising.
This is one of those Bills that is like a forest in the points of principle that it raises. Some of us, I am afraid, will look closely at a lot of the twigs in that forest.
My Lords, I will be brief, as the late Lord Walton always said at the start of his speeches. However, I actually mean it. That is because many of the points I want to make have been made by either the noble Baronesses, Lady Neville-Jones or Lady Ludford, or my noble friend Lord Patel, who declared my interest as chair of the Wellcome Trust for me. For those noble Lords who are not familiar with the organisation, we spend about £1 billion a year on improving human health, largely through funding medical research, primarily in this country but also in 16 other countries overseas. We welcome the Bill, although we think it needs improvement. Before Committee, we look for answers to the questions laid out by my noble friend Lord Patel on the need for universities to have real clarity about how they process data.
For the public interest, terminology should be extended so that we can look at issues of safeguards beyond consent and make sure that it is possible to do clinical trials and interventional work. Why is that the case? It is because health data offers the most exciting opportunities to do things which we have only recently been able to do, understand the causes of disease in detail over populations and have a much better chance of getting to diagnosis early. We could deal with many things if we could only diagnose them far earlier and develop treatments for them—indeed, prevent some of them ever materialising. Health data also helps us to measure the efficacy of treatment. We all know of plenty of treatments that over years have proved to be useless, or unexpected ones that have proved to be outstanding. Looking at big-scale data helps us to do that. That data helps in precision medicine, which we are all moving towards having, where the drugs we receive are for us, not our neighbour, although we apparently both have the same illness. Health data can also help with safety as you can collect the side-effects that people are suffering from for particular drugs. It helps us evaluate policy and, of course, should help the NHS in planning.
I know that the Government want to support scientists to process data with confidence and safety. The industrial strategy comments that data should be “appropriately accessed by researchers”. “Appropriate” is a hopeless word; we do not know what it means, but still. The document also states that access for researchers to,
“currently available national datasets should be accelerated by streamlining legal and ethical approvals”.
We are not there yet.
I want to say a word about public support. The Wellcome Trust commissioned an Ipsos MORI poll last year before the Caldicott review to assess public support for the collection of data. In many cases, there is significant public support for that provided it is anonymised—although I know there are questions about that—but what people are fussed about is that their data is sold on for commercial purposes, that it is used for marketing or, worst of all, that it is used to affect their insurance policies and life insurance. Therefore, we need to give reassurance on that. However, it has certainly been the case in our experience, and that of many universities, that you can recruit many people for trials and studies if they believe that their data will help others with similar diseases or indeed themselves.
My noble friend Lord Patel trailed that I would mention the UK Biobank, as this will face real problems if this legislation is not amended. For noble Lords who are not aware of it, the UK Biobank is funded partly by the Wellcome Trust and partly by the Government through the Medical Research Council. Between 2006 and 2010, it recruited half a million people who gave body samples, details about their lifestyles, economic environments and genomes. Some of these details have been accessed but not all. This has produced the most fantastic amount of data, which is helping us to discover causes of cancer, heart disease—there is a long list, and I will read them all out as they are all important—stroke, diabetes, arthritis, osteoporosis, eye disorders, depression and dementia. Other subjects will be added. The conclusions of this data are open to anybody in the world because health has no frontier. There is no other biobank like this in the world. The Chinese have started one called the Kadoorie, but it is neither as extensive nor profound; it will become invaluable, but it is not yet. The UK Biobank is a unique resource for the world. It is based in Oxford and funded by a major British charity and the taxpayer. We must make that data useful and do nothing to damage the way in which it contributes to helping save lives.
My Lords, I have enjoyed the debate very much so far. I hope that the same can be said of my noble friend the Minister, who will clearly find support from all around the House for a large number of amendments. I found myself agreeing with the noble Lord, Lord Stevenson, on several points, not least on the question of adequacy, which seems to me absolutely fundamental to getting this Bill right. I hope that my noble friend will be able to be very clear on how the Government intend to tackle this key aspect.
I agreed with the noble Lord, Lord McNally, too, and his worries about standing up to the tech giants. They are not our friends. They are big, powerful companies that are not citizens of this country. They pay as little tax here as possible and several of them actively help tax evaders in order that they can make more profits out of the transactions that that involves. They control what we see on the internet through algorithms and extract vast quantities of data and know more about us than we know ourselves. In the interests of democracy we really must stand up to them and say, “No, we are the people who matter. It is great you are doing well, but we are the people who matter”. Bills like this are part of that, and it is important that we stand up for ourselves and our citizens.
I agreed very much with my noble friend Lady Neville-Jones that research is crucial. In my context as editor of the Good Schools Guide we use a fair bit of government data and do research with it. I will pick my noble friend’s brain afterwards on what her worries are about the use of data by non-standard researchers because I certainly qualify as that.
My noble friend Lord Arbuthnot referred to a Keeling schedule. It would be wonderful to receive it. For some reason I cannot pick it up on the email. It is not in the documents listed on the Parliament website, not in any location, and it does not Google or come up on GOV.UK. One way or another, I think the simplest thing to ask is: please can we put it on the parliamentary website in the list of documents related to the Bill? I know that it exists, but I just cannot find it. It would be nice if it appeared on the departmental website too.
It seems to me that bits are missing in a number of areas. Where are Articles 3, 27, 22(2)(b) and 35(4) to 35(6)? Where is Article 80(2), as the noble Baroness, Lady Lane-Fox, mentioned? That is an absolutely crucial article. Why has it gone missing? How exactly is recital 71 implemented? I cannot see how the protections for children in that recital are picked up in the Bill. There are a lot of things that Keeling schedules are important for. In a detailed Bill like this, they help us to understand how the underlying European legislation will be reflected, which will be crucial for the acceptance of this Bill by the European Union—I pick up the point made by the noble Lord, Lord Stevenson—and what bits are missing.
And what has been added? Where does paragraph 8 of Schedule 11 come from? It is a very large, loose power. Where are its edges? What is an example of that? I would be very grateful if my noble friend could drop me a note on that before we reach Committee. What is an arguable point under that provision? Where are the limits of our economic interest so far as its influence on this Bill is concerned?
Paragraph 4 of Schedule 10 is another place that worries me. We all make our personal data public, but a lot of the time we do it in a particular context. If I take a photograph with my parliamentary-supplied iPhone, on which there is an app that I have granted the power to look at my photographs for some purpose that I use that app for, I have made that photograph and all the metadata public. That is not what I intended; I made it public for a particular purpose in a particular context—that of social media. A lot of people use things like dating websites. They do not put information on there which is intended to be totally public. Therefore, the wording of paragraph 4 of Schedule 10 seems to be far too wide in the context of the way people use the internet. Principle 2 of the Data Protection Act covers this. It gives us protection against the use of information for purposes which it clearly has not been released for. There does not appear to be any equivalent in the Bill—although I have not picked up the Keeling schedule, so perhaps it is there. However, I would like to know where it is.
On other little bits and pieces, I would like to see the public policy documents under Clause 33(4) and Clause 33(5) made public; at the moment they are not. How is age verification supposed to work? Does it involve the release of data by parents to prove that the child is the necessary age to permit the child access, and if so, what happens to that data? Paragraph 23 of Schedule 2 addresses exam scripts. Why are these suddenly being made things that you cannot retrieve? What are the Government up to here? Paragraph 4 of Schedule 2, on immigration, takes away rights immigrants have at the moment under the Data Protection Act. Why? What is going on?
There are lots of bits and pieces which I hope we can pick up in Committee. I look forward to going through the Bill with a very fine-toothed comb—it is an important piece of legislation.
My Lords, I welcome the opportunity to speak in this Second Reading debate. It is always slightly daunting to follow the noble Lord, Lord Lucas. We were colleagues on the Digital Skills Committee a few years back, and he was pretty daunting on that too, being a great fund of knowledge on this subject. I mention at the outset my interests as set out in the register, including as a trustee of the British Library and as a member of the parliamentary Intelligence and Security Committee in the last Parliament. I too welcome this important piece of legislation. I will be brief and confine myself to some general remarks.
There is no doubt that data, big data, data processing and data innovation are all absolutely essential ingredients in the digital revolution which is changing the world around us. However, as we have discussed in debates in this House, advances in technology inevitably risk outstripping our capacity to think through some of the social, ethical and regulatory challenges posed by these advances. This is probably true of questions of data protection.
The last key legislation, the Data Protection Act 1998, was ground-breaking in its time. But it was designed in a different age, when the internet was in its infancy, smartphones did not exist and the digital universe was microscopic compared to today. As the Government have said, we desperately need a regulatory framework which is comprehensive and fit for purpose for the present digital age.
As has been mentioned by other noble Lords, the Bill is also necessary to ensure that our legislation is compatible with the GDPR, which comes into force next year. It is absolutely clear that however Brexit unfolds, our ability to retain an accepted common regulatory framework for handling data is essential; the ability to move data across borders is central to our trading future. I was much struck by the lucid explanation given by the noble Lord, Lord Jay, of some of the challenges which lie ahead in achieving this goal of a common regulatory framework for the future.
The Bill before us is undoubtedly a major advance on our earlier legislation. It is inevitably complex, and as today’s debate makes absolutely clear, there are areas which this House will wish to scrutinise carefully and in depth, including issues of consent and the new rights such as the right to be forgotten and to know when personal data has been hacked, and so on. The two areas which will be of particular interest to me as a member of the board of the British Library and as a member of the Intelligence and Security Committee in the last Parliament will be, first and foremost, archiving in the public interest, and secondly, Part 4, on data processing by the intelligence services.
In order to support archiving activities, as was made clear in the British Library’s submission during the DCMS consultation earlier this year, it is essential that this legislation provide a strong and robust legal basis to support public and private organisations which are undertaking archiving in the public interest. As I understand it, this new legislation confirms the exemptions currently available in the UK Data Protection Act 1998: safeguarding data processing necessary for archiving purposes in the public interest and archiving for scientific, historical and statistical purposes. This is welcome, but there may perhaps be issues around definitions of who and what is covered by the phrase “archiving in the public interest”. I look forward to further discussion and, hopefully, further reassurances on whether the work of public archiving institutions such as our libraries and museums is adequately safeguarded in the Bill.
On Part 4, data processing by the intelligence services does not fall within scope of the GDPR, and this part of the Bill provides a regime based on the Council of Europe’s modernised—but not yet finally agreed—Convention 108. The intelligence services already comply with data-handling obligations within the regulatory structures found in a range of existing legislation. This includes the Investigatory Powers Act 2016, which, as was debated in this Chamber this time last year, creates a number of new offences if agencies wrongly disclose data using the powers in that Act.
The new Bill seeks to replicate the approach of the Data Protection Act 1998, whereby there have been well-established exemptions to safeguard national security. It is obviously vital that the intelligence services be able to continue to operate effectively at home and with our European and other partners, and I look forward to our further discussion during the passage of the Bill on whether this draft legislation gives the intelligence services the safeguards they require to operate effectively.
In sum, this is a most important piece of legislation. If, as the noble Baroness, Lady Lane-Fox, suggests, we can set the bar high, it will be a most significant step forward. First, it will redefine the crucial balance between, on the one hand, the freedom to grasp the extraordinary opportunities offered by the new data world we are in and, on the other, the need to protect sensitive personal data. Secondly, and very importantly, it will put the United Kingdom at the forefront of wider efforts to regulate sensibly and pragmatically the digital revolution which is changing the way we run our lives.
My Lords, as the economy becomes more digitised, the politics of data become centrally important. As the Minister himself said, data is the fuel of the digital economy, and public policy now needs an agile framework around which to balance the forces at play. We need to power the economy and innovation with data while protecting the rights of the individual and of wider society from exploitation by those who hold our data. The recent theft of the personal details of 143 million Americans in the hack of Equifax or the unfolding story of abuse of social media in the US elections by Russian agents make the obvious case for data protection.
This Bill attempts to help us tackle some big moral and ethical dilemmas, and we as parliamentarians have a real struggle to be sufficiently informed in a rapidly changing and innovative environment. I welcome the certainty that the Bill gives us in implementing the GDPR in this country in a form that anticipates Brexit and the need to continue to comply with EU data law regardless of membership of the EU in the future.
However, we need e-privacy alongside the GDPR. For example, access to a website being conditional on accepting tracking cookies should be outlawed; we need stricter rules on wi-fi location tracking; browsers should have privacy high by default; and we need to look at extending the protections around personal data to metadata derived from personal data.
But ultimately I believe that the GDPR is an answer to the past. It is a long-overdue response to past and current data practice, but it is a long way from what the Information Commissioner’s briefing describes as,
“one of the final pieces of much needed data protection reform”.
I am grateful to Nicholas Oliver, the founder of people.io, and to Gi Fernando from Freeformers for helping my thinking on these very difficult issues.
The Bill addresses issues of consent, erasure and portability to help protect us as citizens. I shall start with consent. A tougher consent regime is important but how do we make it informed? Even if 13 is the right age for consent, how do we inform that consent with young people, with parents, with adults generally, with vulnerable people and with small businesses which have to comply with this law? Which education campaigns will cut through in a nation where 11 million of us are already digitally excluded and where digital exclusion does not exclude significant amounts of personal data being held about you? And what is the extent of that consent?
As an early adopter of Facebook 10 years ago, I would have blindly agreed to its terms and conditions that required its users to grant it,
“a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content”.
I posted on the site. It effectively required me to give it the right to use my family photos and videos for marketing purposes and to resell them to anybody. Thanks to this Bill, it will be easier for me to ask it to delete that personal data and it will make it easier for me to take it away and put it goodness knows where else with whatever level of security I deem fit, if I can trust it. That is welcome, although I still quite like Facebook, so I will not do it just yet.
But what about the artificial intelligence generated from that data? If, in an outrageous conflagration of issues around fake news and election-fixing by a foreign power to enable a reality TV star with a narcissistic personality disorder to occupy the most powerful executive office in the free world, I take against Facebook, can I withdraw consent for my data to be used to inform artificial intelligences that Facebook can go on to use for profit and for whatever ethical use they see fit? No, I cannot.
What if, say, Google DeepMind got hold of NHS data and its algorithms were used with bias? What if Google gets away with breaking data protection as part of its innovation and maybe starts its own ethics group, marking its own ethics homework? Where is my consent and where do I get a share of the revenue generated by Google selling the intelligence derived in part from my data? And if it sells that AI to a health company which sells a resulting product back to the NHS, how do I ensure that the patients are advantaged because their data was at the source of the product?
No consent regime can anticipate future use or the generation of intelligent products by aggregating my data with that of others. The new reality is that consent in its current form is dead. Users can no longer reasonably comprehend the risk associated with data sharing, and so cannot reasonably be asked to give consent.
The individual as a data controller also becomes central. I have plenty of names, addresses, phone numbers and email addresses, and even the birthdays of my contacts in my phone. Some are even Members of your Lordships’ House. If I then, say, hire a car and connect my phone to the car over Bluetooth so that I can have hands-free driving and music from my phone, I may then end up sharing that personal contact data with the car and thereby all subsequent hirers of the car. Perhaps I should be accountable with the car owner for that breach.
Then, thanks to AI, in the future we will also have to resolve the paradox of consent. If AI determines that you have heart disease by facial recognition or by reading your pulse, it starts to make inference outside the context of consent. The AI knows something about you, but how can you give consent for it to tell you when you do not know what it knows? Here, we will probably need to find an intermediary to represent the interests of the individual, not the state or wider society. If the AI determines that you are in love with someone based on text messages, does the AI have the right to tell you or your partner? What if the AI is linked to your virtual assistant—to Siri or Google Now—and your partner asks Siri whether you are in love with someone else? What is the consent regime around that? Clause 13, which deals with a “significant decision”, may help with that, but machine learning means that some of these technologies are effectively a black box where the creators themselves do not even know the potential outcomes.
The final thing I want to say on consent concerns the sensitive area of children. Schools routinely use commercial apps for things such as recording behaviour, profiling children, cashless payments, reporting and so on. I am an advocate of the uses of these technologies. Many have seamless integration with the school management information systems that thereby expose children’s personal data to third parties based on digital contracts. Schools desperately need advice on GDPR compliance to allow them to comply with this Bill when it becomes law.
Then there is the collection of data by schools to populate the national pupil database held by the Department for Education. This database contains highly sensitive data about more than 8 million children in England and is routinely shared with academic researchers and other government departments. The justification for this data collection is not made clear by the DfE and causes a big workload problem in schools. Incidentally, this is the same data about pupils that was shared with the Home Office for it to pursue deportation investigations. I am talking about data collected by teachers for learning being used for deportation. Where is the consent in that?
“won’t share your information with any other organisations for marketing, market research or commercial purposes”.
That claim does not survive any scrutiny. For example, Tutor Hunt, a commercial tutoring company, was granted access to the postcode, date of birth and unique school reference number of all pupils. This was granted for two years up to the end of March this year to give parents advice on school choice. Similar data releases have been given to journalists and others. It may be argued that this data is still anonymous, but it is laughable to suggest that identity cannot then be re-engineered, or engineered in the first place, from birth date, postal code and school. The Government need to get their own house in order to comply with the Bill.
That leads me to erasure, which normally means removing all data that relates to an individual, such as name, address and so on. The remaining data survives with a unique numeric token as an identifier. Conflicting legislation will continue to require companies to keep data for accounting purposes. If that includes transactions, there will normally be enough data to re-engineer identity from an identity token number. There is a clause in the Bill to punish that re-engineering, which needs debating to legitimise benign attempts to test research and data security, as discussed by the noble Baroness, Lady Manningham-Buller.
The fact that the Bill acknowledges how easy it is to re-identify from anonymous data points to a problem. The examples of malign hacking from overseas are countless. How do we prevent that with UK law? What are the Government’s plans, especially post Brexit, to address this risk? How do we deal with the risk of a benign UK company collecting data with consent—perhaps Tutor Hunt, which I referred to earlier—that is then acquired by an overseas company, which then uses that data free from the constraints of this legislation?
In the context of erasure, let me come to an end by saying that the Bill also allows for the right to be forgotten for children as they become 18. This is positive, as long as the individual can choose what they want to keep for him or herself. Otherwise, it would be like suggesting you burn your photo albums to stop an employer judging you.
Could the Minister tell me how the right to be forgotten works with the blockchain? These decentralised encrypted trust networks are attractive to those who do not trust big databases for privacy reasons. By design, data is stored in a billion different tokens and synced across countless devices. That data is immutable. Blockchain is heavily used in fintech, and London is a centre for fintech. But the erasure of blockchain data is impossible. How does that work in this Bill?
My Lords, many noble Lords will know that my particular interests, clearly stated on the register, are concerned with making the digital world fit for children and young people, and so the greater part of my comments concern that. However, I wanted to say at the outset that dealing with this Bill without having had the opportunity to scrutinise the GDPR or understand the ambition and scope of the Government’s digital charter, their internet safety strategy or even some of the details that we still await on the Digital Economy Act made my head hurt also.
I start with the age of consent. Like others, I am concerned that the age of 13 was a decision reached not on the advice of child development experts, child campaigners or parents. Perhaps most importantly of all, the decision lacks the voice of young people. They are key players in this: the early adopters of emerging technologies, the first to spot its problems and, so very often, the last to be consulted or, indeed, not consulted at all. Also, like others, I was bewildered when I saw Clause 187. Are Scottish children especially mature or are their southern counterparts universally less so? More importantly, it seems that we have to comply with the GDPR, except when we do not.
As the right reverend Prelate has outlined, the age of 13 is really an age of convenience. We have simply chosen to align UK standards with COPPA, a piece of US legislation that its own authors once described to me as a “terrible compromise”, and which dates from 2000, when the notion of every child carrying a smartphone with the processing power of “Apollo 11” and consulting it every few minutes, hundreds of times day and night, was not even in our imagination, let alone our reality.
Before considering whether 13 is the right age, we should understand what plans the Government have to require tech companies to make any provisions for those aged 13 to 17, or whether it is the considered opinion of the UK Government that in the digital environment a 13 year-old is a de facto adult. Will the Government require tech companies to publish data risk assessments setting out how children are likely to engage with their service at different ages and the steps they have taken to support them, including transparent reporting data? Are we to have minimum design standards in parts of the digital environment that children frequent, and that includes those places that they are not supposed to be? Will the ICO have powers to enforce against ISS providers which do not take steps to prevent very young children accessing services designed for people twice their age? My understanding is that age compliance will continue to be monitored and enforced by the ISS companies themselves.
As Ofcom pointed out, in 2016 in the UK, 21% of 10 year-olds, 43% of 11 year-olds and half of all 12 year-olds had a social media profile, in spite of COPPA. Are the Government planning to adequately resource and train all front-line workers with children, teachers, parents and children in a programme of digital literacy as the House of Lords Communications Committee called for, and in doing so inform all concerned—those 13 and under and those between the ages of 13 and 18—on the impact for young people of inhabiting what is increasingly a commercial environment? Until these questions are answered positively, the argument for a hard age of consent seems weak.
In contrast, in its current code of practice on processing personal data online, the ICO recommends a nuanced approach, advising would-be data collectors that:
“Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly”.
The current system places the obligation on the data controller to consider the context of the child user, and requires them to frame and direct the request appropriately. It underpins what we know about childhood: that it is a journey from dependence to autonomy, from infancy to maturity. Different ages require different privileges and levels of support.
If being GDPR compliant requires a hard age limit, how do we intend to verify the age of the child in any meaningful way without, perversely, collecting more data from children than we do from adults? Given that the age of consent is to vary from country to country—16 in the Netherlands, Germany and Hungary; 14 in Austria—data controllers will also need to know the location of a child so that the right rules can be applied. Arguably, that creates more risk for children, but definitely it will create more data.
In all of this we must acknowledge a child’s right to access the digital world knowledgeably, creatively and fearlessly. Excluding children is not the answer, but providing a digital environment fit for them to flourish in must be. There is not enough in this Bill to fundamentally realign young people’s relationship with tech companies when it comes to their data.
Much like the noble Lord, Lord Knight, my view is that we have got this all wrong. In the future, the user will be the owner of their own data, with our preferences attached to our individual online identity. Companies and services will sign up to our bespoke terms and conditions, which will encompass our interests and tolerances, rather than the other way round. If that sounds a little far-fetched, I refer noble Lords to the IEEE, where this proposal is laid out in considerable detail. For those who do not know the IEEE, it is the pre-eminent global organisation of the electrical engineering professions.
While this rather better option is not before us today, it must inform our understanding that the Bill is effectively supporting an uncomfortable status quo. Challenging the status quo means putting children first, for example by putting the code of practice promised in the Digital Economy Act on a statutory footing so that it is enforceable; by imposing minimum design standards where the end-user is likely or may be a child; by publishing guidance to the tech companies on privacy settings, tracking, GPS and so forth; by demanding that they meet the rights of young people in the digital environment; and by a much tougher, altogether more appropriate, regime for children’s data.
All that could and should be achieved by May, because it comes down to the small print and the culture of a few very powerful businesses for which our children are no match. The GDPR offers warm words on consumer rights, automated profiling and data minimisation, but with terms and conditions as long as “Hamlet”, it is disingenuous to believe that plain English or any number of tick boxes for informed or specific consent will materially protect young people from the real-life consequences of data harvesting, which are intrusive, especially when we have left the data poachers in charge of the rules of engagement.
We could do better—a lot better. I agree wholeheartedly with other noble Lords who are looking for structures and principles that will serve us into the future. Those principles should not only serve us in terms of other EU member states but be bold enough to give us a voice in Silicon Valley. In the meantime, the Government can and should enact the derogation under article 80(2) and in the case of complainants under the age of 18, it should not only be a right but a requirement. We cannot endorse a system where we create poster children on front-line battles with tech companies. We are told that this Bill is about data protection for individuals—a Bill that favours users over business and children over the bottom line. But the absence of Article 8 of the European Charter of Fundamental Rights is an inexcusable omission. The Bill in front of us is simply not robust enough to replace Article 8. I call on the Government to insert that crucial principle into UK legislation. It must be wrong for our post-Brexit legislation to be deliberately absent of underlying principles. It is simply not adequate.
I had a laundry list of issues to bring to Committee, but I think I will overlook them. During the debate, a couple of noble Lords asked whether it was possible to regulate the internet. We should acknowledge that the GDPR shows that it can be done, kicking and screaming. It is in itself a victory for a legislative body—the EU. My understanding is that it will set a new benchmark for data-processing standards and will be adopted worldwide to achieve a harmonised global framework. As imperfect as it is, it proves that regulating the digital environment, which is entirely man and woman-made and entirely privately owned, is not an impossibility but a battle of societal need versus corporate will.
As I said at the beginning, my central concern is children. A child is a child until they reach maturity, not until they reach for their smart phone. Until Mark Zuckerberg, Sergey Brin and Larry Page, Tim Cook, Jack Dorsey and the rest, with all their resources and creativity, proactively design a digital environment that encompasses the needs of children and refers to the concept of childhood, I am afraid that it falls to us to insist. The Bill as it stands, even in conjunction with the GDPR, is not insistent enough, which I hope as we follow its passage is something that we can address together.
My Lords, I very much agreed with those who said that the regulation must certainly apply to the big boys in the computer and digital world. I shuddered when the noble Baroness, Lady Lane-Fox, quoted from that wholly incomprehensible Brussels jargon from the regulations.
I received last week a letter as chair of Marlesford Parish Council. We have seven members and only 230 people live in Marlesford. Our precept is only £1,000 a year. A letter from the National Association of Local Councils warned me that the GDPR will impose,
“a legal obligation to appoint a Digital Protection Officer … this appointment may not be as straightforward as you may be assuming, as while it may be possible to appoint an existing member of staff”—
we have no staff, just a part-time parish clerk who is basically a volunteer. It continues:
“They must by requirement of regulations possess ‘expert knowledge of data protection law and practices’”.
I am afraid that will not be found in most small villages in the country, so I hope that one result of this Bill will be to introduce an element of proportionality in how it is to apply, otherwise the noble Baroness, Lady Lane-Fox, who was so right to draw our attention to the threat of incomprehensibility, will be right and we will all lose the plot.
The time has come to have a reliable and secure link between the state and its citizens, and the capabilities of the digital world that underlie this Bill give us that opportunity. There are good reasons for that. First, apart from the excellent national census which was founded in 1841, with the latest information having been collected in the 2011 census, Governments have an imperfect knowledge of their customers, paymasters or stakeholders—whatever you would like to call the rest of us. The various links have many defects which result in serious failures in the duties and obligations of the state. The first of those is to ensure that those who need financial help or support get it and do not go short as a result of funds going to those who do not need them or are not entitled to them. In this, the national insurance system has been incredibly difficult to organise properly. Again and again people have tried, and again and again they have failed.
Secondly, the National Health Service, which many of us believe to be a pillar of our British way of life, is chronically short of funds. Large sums are spent on free medical treatment for those who are not entitled to it. For example, under the reciprocal healthcare scheme within the EU, which is based on repayments made by each EU Government, we pay more than 10 times as much to other EU Governments for their treatment of our citizens as we collect for treating theirs. That is a gap of £500 million. In the case of the NHS treatment of non-EU citizens, the failure to collect charges now costs £1 billion a year.
Thirdly, control of our borders is inadequate, largely due to the failure of our passport system, an issue I have raised many times in your Lordships’ House.
Fourthly, there are serious defects in policing, combating digital crime and other aspects of law and order. To give just two examples, there are problems for our security services in protecting us from terrorism and identity theft, which is a growing problem. My proposal involves giving every citizen a unique identification number that would be backed by centrally held biometrics to confirm the identity of the citizen. The UIN would supplement and eventually replace the plethora of other state numbers, which include those for national insurance, the registry of births and deaths, national health, HMRC, passports, driving licences, the police national computer, the national firearms register and custodial sentences. Citizens would be required to know their own UIN and to give it to those with a legitimate reason to ask for it. The UIN would be printed on passports, driving licences and so on. To assist those without such documents, it might be helpful to make available a plastic card with the person’s name and UIN. Such a card would not be mandatory and it would have no validity in and of itself. It would not of course be an identity card, any more than a credit card or business card would be. Needless to say, it would have no biometrics of any sort on it.
Access to the biometrics would be carefully restricted to those on a need-to-use basis, and those with such access would have data relevant only to their need to know. The verification process would be based on real-time use of the biometrics. The authority would take the biometrics from an individual when necessary, and such action would be limited to appropriate members of government agencies. They would include the police, immigration officers, security people and so on. The biometrics could then be compared with the central record. Important decisions to be made would include which biometrics should be used, such as facial recognition techniques, fingerprints and so forth. The introduction of the UIN would be gradual, depending on the logistics of collecting the biometrics. Existing numbers would continue to be used for a while. Proper data protection would be key to the viability, security, integrity and public acceptability of the UIN. All I am asking is for Her Majesty’s Government to set up a study of what I propose. I am afraid I am not very confident that they will.
In 1997, I tabled an amendment to the Firearms (Amendment) Bill to set up a national electronic record of all firearms, similar to the excellent one that had long been in use by the DVLA. The amendment was passed and became part of the Act, but for the next 10 years the Home Office used every technique from the “Yes Minister” book to resist implementing it. Thanks to widespread support in this House—including from, if I may so, the noble Lord, Lord McNally, in his ministerial position—the amendment was eventually accepted and it has been in useful operation for the past 10 years.
However, I am worried about whether the Government always move as fast as they should on these computer matters. Sometimes they seem rather out of their depth. I remember, in 1966, as a keen young member of the Conservative Research Department, I was sent to carry the bag and take notes for Ernest Marples, a great political figure, around the world, to America and Japan, to see how we could use new techniques—electronic techniques and all the rest—to run the Government better. When I came back, all bright-eyed and bushy-tailed, I met a very senior official, a charming Under-Secretary from the Ministry of Health. I said to him, “You know, I’ve just been in America and Conrad Hilton has this wonderful system. He tracks everything that happens in his hotels: where the money goes, what the clients do and all the rest of it. Your hospitals are really rather like hotels—couldn’t you start doing the same?” He looked at me and shook his head and said, “Mark, before we spend government money on computers, we have to be sure they are here to stay”.
My Lords, I start by thanking the Minister for the opportunity to meet him and officials earlier today.
I welcome the stated purpose of the Bill. In my mind, it must be sensible to unify and consolidate the law in this area, and to update its application to more recent technologies. Bringing the GDPR into UK law is unquestionably desirable. I have been impressed by the GDPR’s elegance and sense of purpose, following, as it does—or claims to do—the European Charter of Fundamental Rights in 88 pages of self-reinforcing statements of principles.
I cannot go on without welcoming the EU Select Committee’s report, so ably spoken to by the noble Lord, Lord Jay, who I see is not in his place. I think it is a pity that the report did not have its own slot. Despite acknowledging that the Bill fleshes out the regulation to make it member-state applicable, like the noble Lord, Lord Stevenson, I worry about a Bill of 218 pages and an explanatory note of 112 pages, plus a departmental pack of 247 pages to deal with it all. That all adds to the complexity. I admit that the GDPR conceals its highly challenging requirements in wording of beguiling simplicity under the flag of private rights, but it is no wonder that the European Parliament did not want its handiwork contextualised by inclusion in what we have before us. It is not a particularly encouraging start to bringing 40 years of EU legislation into domestic law.
In what I felt was an inspirational contribution, the noble Baroness, Lady Lane-Fox—I am sorry she is not in her place—referred to the tortuous use of language in parts of the Bill. I agree with her—parts of it are gobbledygook that deny transparency to ordinary mortals. She referred also to my direct ancestor, Ada Lovelace, some of whose expressions of mathematical principles, even for a non-mathematician such as me, make a good deal more sense than parts of the Bill.
The Bill sets out to replace the 1998 Act with new GDPR provisions, meaning new and enhanced rights of data subjects for access, portability and transparency, and duties on controllers on specific consent—not by default, it should be noted—procedural audit trails, a more clearly defined regulatory and supervisory framework, and potential for substantially increased fines for infractions. There is enough that is new, apart from public expectations and the revised geometry as between data subject and data controller, which will naturally give rise to a fresh view of precedent and practice.
Consistency of the Bill with the GDPR core principles, as well as the fundamental rights upon which it is based, will be our focus at the Bill proceeds. A lot of organisations will need to review the way in which they are authorised, in their logging of the origins and possible destinations of personal data they hold, as well as the protocols for responding to requests for information from data subjects. I do not doubt that there will be some pitfalls for the unwary. It may no longer be possible to rely on the continuing acceptability and lawfulness of the previous arrangements under which they have operated, nor to second guess with accuracy how regulation and enforcement will unfold henceforward.
So there may be something going well beyond the more benign narrative of updating, modernising and extending the application on its own. There seem to be some particularly uncharted waters here, with the burden of proof as to compliance and adequacy of arrangements being firmly in the lap of the controller on what looks very like a strict liability basis. That alters the geometry of what will be dealt with.
As regards international cross-jurisdictional data— I am thinking of beyond the EU—I wonder how successfully the proposed arrangements will carry forward in the longer term, bearing in mind that the world market contains numerous players who for their own purposes and advantage might not be that keen to match the standards we claim to set for ourselves. Indeed, the construct of ethical data comes to mind, with all the usual caveats previously associated with ethical foreign policy—the noble Lord, Lord Knight, referred to the ethics; I agree with him that there is a strong threat. That would follow a global principle that sits behind GDPR.
The GDPR is hypothecated on the principle of individual compliance of each processor enterprise, so in a data-processing daisy chain across continents the continued tying in to the tenets of the GDPR is an obvious practical problem with some limitations and it should give us cause for reflection, although I have some admiration for the algorithm that the GDPR sets out to create.
I question how the Government view the ongoing processing of more historical personal data, referred to by other noble Lords, when the purpose for collecting it or the basis for any implied or deemed consent either had not been met or should long since have been refreshed or treated as expired. We all know that old data is still sloshing around in the ether, some of it potentially of dubious accuracy, but I merely point to the fact that this is often an ongoing processing operation without beginning or end point or any apparent possibility of amending or deleting records, as mentioned by other noble Lords. The amount of screening needed to ensure accuracy would be vast. I am entirely unclear that this Bill or the GDPR will improve things for those data subjects for whom this sort of thing can be harmful. I am not thinking just of social media. How will legacy data be dealt with, especially as it does not seem to have been entirely successfully corralled by the 1998 Act or by all other member states under the 1995 data protection directive? I see the correction of that as one of the fundamental principles behind the GDPR—it is the trip wire which has been put there deliberately.
I have concerns about some of the “get out” provisions included in the Bill. The first is the “too difficult” excuse; businesses already use this as a blocking measure. How does one get round the argument that it is too difficult to extract the individual personal data despite knowing that it is the targeted agglomeration of such data, relating to a natural individual, that is the outcome of the processing? The second is that the request is regarded as vexatious. This of course can be concocted by the simple expedient of being evasive towards the first two requests and from the third onwards treating it as repetitive or vexatious—it already happens. I would like reassurance from the Minister that the basic individual rights promised under the GDPR cannot be so circumvented.
The third excuse is “too much data”, referred to by other noble Lords; in other words, there is a lot of personal data held on an individual data subject. Here, there is a provision that the data controller may decline to give information if the precise nature of the data sought is not specified. My impression is that failure of a data subject to specify allows the controller to become unresponsive. If that is the intention, it seems to me to fail the broader test of article 14 of the GDPR, the basic premise of which is that the data subject is entitled to accurate and intelligible information.
It cannot be assumed that the data subject already knows what the scale and nature of the data held actually are or precisely who holds it, although it is clear that the GDPR gives an entitlement to this information. It must follow that, at very least, the controller, in making his “too much data” response, has to identify the general nature, categories and type of data held about that person. I invite the Minister to comment on what is intended. I concur very much with the point so eloquently made by the noble Baroness, Lady Lane-Fox, on the asymmetry of technical knowledge, resource and political clout as between the data subject and the controller, particularly when set against the practical challenge of extracting individual personal data in response to a formal request.
I was reminded of something only yesterday, as a result of a question as to whether a person was or was not at a certain place at a certain time, which was averred by a complainant in a harassment case who used CCTV footage they had created themselves. It was pointed out that the person against whom the complaint was made said they were somewhere else, in a retail premises covered by other CCTV footage. However, it appeared that the retail premises operator would not release the data because it also contained images of other people and there were, accordingly, privacy issues. What is the balance of rights and protections to be in such a case, where somebody faces prosecution?
That leads me to the issue of data collected by public bodies and agencies. I do not think it is generally understood what personal data is shared by police, social services, health bodies and others, some of them mentioned by the noble Lord, Lord Marlesford. Indeed, I am clear that I do not know either, but I believe that many of these agencies hold data in a number of different forms and on a variety of platforms, many of which are bespoke and do not readily talk to other systems. The data are collected for one purpose and used for other purposes, as the noble Lord, Lord Knight, rightly observed. It is on record in debates in this House that some of these bodies do not actually know how many data systems they have, even less what data—whether usable, personal, relevant or accurate, as the case may be—they actually contain. How does one enforce that situation? Some of these databases may not even be operating with the knowledge of the Information Commissioner. There will be an expectation that that is going to be tightened up.
A considerable measure of latitude is afforded to the processing of personal data in the public interest. I will be very brief on this point. I would not rest easy that we have an adequate separation of genuine public interest from administrative convenience and I looked in vain for clarification as to what public interest would amount to in this context. I have to say that I am even more confused than I was when I started. In the longer term it remains to be seen how the GDPR will work, incorporated into UK law, interpreted and enforced firstly through our domestic courts under the aegis of the EU but subsequently on a twin-track basis, when we will be dealing with it ourselves through the precedents of our own judicial system and the same GDPR will be being looked at in a European context elsewhere.
I want the Bill to work; I want to enable proper business use of data and to empower data subjects, as the GDPR promises, with a minimum of obfuscation, prevarication and deceit. Transparency has not been the hallmark of UK data businesses or government administration in this respect, but without it there is no justice, due process or citizen confidence in the rule of law and it will be corrosive if we do not get this right. However, I do not see any fundamental mismatch between this and best business practice, so I look forward to further debates on the Bill as we proceed.
My Lords, the Data Protection Act was introduced in 1998. In those days, Facebook, Google and Uber did not exist, Amazon was barely four years old, Apple was tottering under the imminent threat of bankruptcy, search engines were rudimentary, as was the internet itself, and it would be another nine years until the iPhone would be launched. It was, indeed, a very different world. While I welcome the Bill, it remains a fact that when it becomes an Act next year it will be 20 years since its predecessor was enacted. Information and digital technology are growing exponentially. No other industry in the history of the world has even come close to this rate of growth. Legislation needs to match and anticipate the speed of these developments. Certainly, we cannot wait until 2037 for the next Data Protection Act.
Today I am going to raise three issues, which I would like the Minister to respond to. They all centre on the dominant and predatory behaviour of the American big tech giants. I will give your Lordships a striking example of such behaviour from one of them: Apple. In an ideal world, I would like every Member here who has an iPhone to take it out and turn it on, but that probably contravenes the Standing Orders of your Lordships’ House. So I will do the next best thing: I will set out five iPhone directions and, in the cool of the evening, when noble Lords have Hansard in front of them, they can replicate what I am now going to demonstrate.
Click on Settings, then Privacy, then Location Services. Then scroll all the way down until you see System Services, and then scroll halfway down and click on something called Significant Locations. If you are a little behind the times and do not have iOS 11, it is called Frequent Locations. You will probably be asked for a password. Then you will see History and a list of locations. Click on any one of them. Your Lordships will be staggered by what is revealed: every single location that you have visited in the past month—when you arrived, when you left, how long you stayed—all this very private and confidential information is starkly displayed. Who gave Apple permission to store this information about me on my iPhone? It is the default setting, but Apple never asked me. It will argue, of course, that it is private information and it has no access to it—maybe. If you think about it, the opportunities for snooping on people very close to you are endless and dangerous. Now the latest iPhone, the iPhone 8, has facial recognition. It does not take much imagination to work out how somebody could get access to a close member of your family and find out where they have been for the past month, without their permission to do it.
I think it was the noble Baroness, Lady Kidron, who spoke about Apple and its terms and conditions. She said that they were longer than “Hamlet”. I read that the iTunes terms and conditions were longer than “Macbeth”. Well, “Macbeth” or “Hamlet”, whatever it is, it is an awful lot of words. Of course, you have no opportunity to change those terms and conditions. You either agree or disagree. If you disagree, you cannot use the phone. So what choice do you have?
I see this as typical big tech behaviour. These companies run the world according to their rules, not ours. I have long campaigned against the cavalier approach of big tech companies in all aspects of business and personal life. These include Facebook, Amazon, Microsoft, Google and, of course, Apple. I was going to make some quip about the west-coast climate and the breezes of the west coast, but I guess with the news of the past two days that is probably not a good thing to be doing. Big tech companies have become mega-libertarians, positioning themselves above Governments and other regulators. They say they are good citizens and abide by the law. They have corporate mantras which say, “Do no evil”, but they stash away hundreds of billions of stateless, untaxed dollars. They promote end-to-end encryption. They are disingenuous when foreign Governments try to influence democratic elections. Perhaps they do no evil, but neither are they the model citizens they say they are.
So full marks to EU Commissioner Margrethe Vestager for bringing Apple, Google and Amazon to task, and full marks to President Macron for his efforts to set up an EU-wide equalisation tax to ensure that corporation tax is based on revenue, not creative accounting. I know that this is a DCMS Bill and international taxation is outside the Minister’s brief, but I have heard the Prime Minister criticise these tax dodges by big tech so I ask him or his colleagues in the Treasury: will the Government support the French President in this campaign?
I now turn to another area which is giving me great concern, which is digital health and health information in general. One of the great treasures we have in this country concerns our population’s health records. The NHS has been in existence since 1948 and in those 70 years the data of tens of millions of patients have been amassed. They are called longitudinal data, and they are a treasure trove. Such data can be instrumental in developing drugs and advanced medical treatment. Few other countries have aggregated such comprehensive health data. It puts us in pole position. However, in 2016 Royal Free London NHS Foundation Trust sold its rights to its data to a company called DeepMind, a subsidiary of—yes, noble Lords have guessed it—Google. The records of 1.6 million people were handed over. In June this year, Taunton and Somerset NHS Foundation Trust signed a similar deal with DeepMind. The data are being used to create a healthcare app called Streams, an alert, diagnosis and detection system for acute kidney injury, and who can object to that? However, patients have not consented to their personal data being used in this way.
Ms Elizabeth Denham, the Information Commissioner, has said that the Royal Free should have been more transparent and that DeepMind failed to comply with the existing Data Protection Act, but the issue is much graver than not complying with the Act. I do not know this for sure, but if I had to bet on who negotiated the better deal, Google or the Royal Free, I know where my money would be. DeepMind will make a fortune. I put this to the Minister: does he agree that NHS patient data are a massive national asset that should be protected? Does he agree that this mass of patient data should not be sold outright in an uncontrolled form to third parties? I know the NHS is strapped for cash, but there are many better ways of maximising returns. One way would be for NHS records to be anonymised and then licensed rather than sold outright, as is common with much intellectual property. I also believe that the NHS should have equity participation in the profits generated by the application of this information. After all, to use the vernacular of venture capital, it, too, has skin in the game.
As today’s debate has shown, there are fundamental questions that need to be answered. I have posed three. First, what protection will we have to stop companies such as Apple storing private data without our express permission? Secondly, will the UK support the French President in his quest for an equalisation tax aimed at big tech? Finally, how can we protect key strategic data, such as digital health, from being acquired without our permission by the likes of Google?
My Lords, I think I should introduce my wife to the noble Lord, Lord Mitchell. She has some worries about Apple and, come to think of it, she has probably been snooping on me.
I shall spend my time on the European Union Committee’s third report. I very much welcome the Motion tabled by the noble Lord, Lord Jay, and the very measured way he introduced the report. I heartily agree with the noble Lord, Lord Stevenson, and my noble friend Lady Neville-Jones that we want the committee to go on studying these matters so that we come to understand them better than we do. That seems very important because an aspect of this Bill is that it is a pre-Brexit negotiation Bill. All the things in the Bill are of massive interest, as has been illustrated, but, as I understand it, in the Government’s mind it is a preparation for the negotiations that will inevitably follow, given the timing of the introduction of the GDPR and the triggering of Article 50. Of course, the provisions of the GDPR come under the single market in the systems of the European Union, which makes it even more important that we think very carefully about where we are and how we can make the best of it.
I have to admit that I do not think the starting point is a very good one. It seems to me that we used to understand that the European Union method of negotiation was that nothing is agreed until everything is agreed, but it has thrown that out of the window and this is not the way this negotiation is going. If nothing is agreed until everything is agreed, you have to have discussed everything before you come to the conclusion, but this is not where we are. The Commission keeps saying, “You are bad boys and have not offered us enough”, so the starting point is not very good, which raises the question of where data protection will come in to these negotiations.
I admire the Explanatory Notes—as I think the noble Lord, Lord Stevenson, did—which are a pretty good document compared to other Explanatory Notes that I have seen in the past. I was also interested in the August statement of intent, which was full of good intentions. But I think I rely more on the evidence that was given to the committee of the noble Lord, Lord Jay, and on that committee’s conclusions. Its central conclusion was that we should seek to achieve an “adequacy” decision. The report goes on, positively, to make recommendations on other difficulties such as the arrangements with the United States, as well as on the maintenance of adequacy, how it might be achieved and the continuance of shared policy.
I will offer just a word about “adequacy” and the use of language. The word “fairly”, which has no meaning in a court, has been used this afternoon. The word “adequacy” is pretty subjective. It has always been the Commission’s tendency to want to use words that are difficult to understand and have no clear meaning in English, such as “subsidiarity”—although that has not come into this part of our campaigning. Common sense tells us that both we and the European Union would be sensible to want to maintain data flows, with adequate protection. That is to say, although the present regime is not perfect, we would want it to continue and to improve.
However, unfortunately, our Brexit vote of no confidence in the Commission and in the project that it pursues has left us in an embarrassing and, it must be said, unfriendly negotiating atmosphere. What is more, our previous contributions following the Council of Europe’s Convention 108 have been very considerable. We not only started the ball rolling, together with many other members of the European Union—Germany, Austria, France and so on—with legislation in 1984, but we assisted a great deal in the run-up to the directive of 1995, when the European Union came into the action, somewhat after it had started; 10 years in fact. Then we had the 1998 Act, on which people have commented. With its 74 clauses and 16 schedules, it has done rather well in the circumstances of a changing world. However, that now seems not to help us with the Commission. We have been very helpful but now we have decided to walk off the pitch, and I think people do not like it if you leave in the middle of the game.
What we need from the Commission, as we have had on other occasions, is a flexibility of response, but I am afraid that is not the Commission’s strong point. Nor is its attitude to the Council of Europe, which started the process of Convention 108. I am not convinced that it will be full of joy at the Council of Europe modernising Convention 108. The EU has made an effort to become a member of the Council of Europe, so far unsuccessful. A personal reflection: if it were to be successful, with 27 or 28 votes out of 47, I suppose it would hope to take charge.
We are the defaulters, seen as obstinate, self-interested and unable to recognise the need for ever-closer union. And so we have this Bill. It is a sensible effort to get and remain in line with EU regulation—to show and share equivalence—even if in two places, I suspect much to the parliamentary draftsman’s distress, we qualify it with the adverb “broadly”. I am also sure we are right that we should be looking for an adequacy decision but, despite the excellent report and its very clear and admirable conclusions, will the Commission reciprocate? It will always be easy to quibble with third-country adequacy. It is a very complex subject and there will never be any difficulty in disagreeing with something; your Lordships have demonstrated that very clearly this afternoon. There is no perfect answer, certainly not one that will withstand the changes that make even a very good answer not such a good one later. So I am afraid my conclusion is that, unless things change, the Commission will continue to find fault with however manfully we try to satisfy its requirements. Is there then a chance that there will be some political intervention, some repetition of the statesmanlike behaviour of European politicians in 1949, the starting year of the Council of Europe? We have about a year to find out. Maybe, but I would not bet on it. No deal on this matter by default seems increasingly likely.
My Lords, I am going to deal with my concerns about how the Bill might affect journalism and free speech. I declare my interest as a series producer at ITN Productions.
In the fast-changing world of the digital revolution, it is beholden on noble Lords to be vigilant about the way in which our personal data is now so readily available to so many people to be processed in so many ways, more than many of us ever conceived. I am glad that the GDPR has been brought forward and that this Bill protects further the availability and use of personal information. However, I am concerned that these new privacy rights will be balanced with further limitations on the freedom of the press and the ability of journalists to carry out investigative journalism in the public interest, which I believe was one of the original aims of the Data Protection Act 1998.
At the moment, data protection legislation is being used to control unwelcome exposure of incriminating personal information by journalists. We have seen cases such as that of Prince Moulay v Elaph Publishing, in which the original case for defamation was thrown out as not libellous, only for the Prince to instigate proceedings for the incriminating information against him to be removed from the public sphere using data protection law, despite the intention of the original Act being that there should be an exemption for journalism.
I understand the sentiment behind the “right to be forgotten” clause. Of course, many people want their youthful indiscretions to be forgotten and, for most, it is important that they should be. This concept is based on the Costeja v Google Spain case, which stopped links being made to personal information in search results. However, the courts are now being tested to see whether the original information itself can be suppressed.
In the age of fake news, it has never been more important to be able to go back to source material to check original data against more recent updates and deletions. Noble Lords will have heard of click bait, where sites are specifically set up to shock with false information to attract eyeballs—as they call them in the industry—and make money from the resultant advertising. Noble Lords must not suppress the means to refute such fake news and ascertain the truth.
So I am very pleased that GDPR article 17 has an exemption for publication of data for free speech and the holding of archives in the public interest, further safeguarded in article 89. However, Clause 18, which indeed provides welcome protection for many archives held in the public interest—for instance, those for historical, scientific and statistical purposes—does give protection to cover media archives.
My concern is that past media articles are an important source for verifying information. They might hold reports of criminal convictions of the person or information about a politician’s past which, years later, when they are trying to stand for office, might prove embarrassing but informative for voters. Surely business people, voters and many others should have full access to the information in those archives, whether it is embarrassing or not. This information helps them to shape a fuller profile of the person whose reputation they are trying to assess.
In the digital age, there are millions of opinions, but refuting falsehoods or discovering the truth has never been more difficult. The only way to do that is through source material on trusted websites or archives, where the information has been mediated and checked. I suggest that websites holding archives of trusted media organisations should be protected by and covered in the Bill. The inherent public interest in such archives should be explicitly recognised, as provided in the GDPR.
I am pleased that there is an exemption for data processing for journalism in Schedule 2, part 5, paragraph 24. However, in sub-paragraph (2), there is concern that the exemption applies only when the processing of data is used for journalism. If this information, once it has been gathered for journalism, is subsequently used by the regulators or the police, the use of the word “only” will negate that exemption. I ask the Minister to look at that again.
I am also concerned about the extension of the powers of the ICO prior to publication to examine whether information is exempt from data protection provisions because it is being processed for journalism. GDPR article 6 contains an obligation to consult the Information Commissioner, but Clause 164 goes much further. It enhances the power of the ICO to examine the application of the exemptions for journalism prior to publication and unilaterally second-guess editorial decisions made in respect of the provisions in the Bill.
This means that if a journalist is investigating, for instance, people smugglers, involving undercover filming or subterfuge which is deemed to create a high risk to data subjects, the ICO can intervene prior to publication. The commissioner has the power to apply their objective view to the claim, which might overwrite and disregard the reasonable view of an editor. The ICO might, for example, call for the individual being investigated to be notified in advance that their data is being used, or that they should be given access to additional data being held about them as part of the journalistic investigation.
In my view, this is not even consistent with the terms of journalistic exemption. It would result in investigative journalism being delayed or even stopped until the ICO has examined it for compliance with part of the Act prior to publication. The provision could act as a form of censorship. The existing right of the editor to decide whether the story should go ahead in the public interest will therefore be eroded. I suggest that Clause 164 should be amended to ensure that investigative journalism is not chilled by the extension of powers of intervention by the ICO prior to publication.
Finally, I am concerned that there is no time limit on the right to sue in respect of information processed for special purposes, which continues to be retained or published in the media archive. Under the Defamation Act, that limitation was one year from the date of publication. Under this Bill, there is no limitation. Surely, if information is inaccurate, the complainant should sue within a specific period. The longer the case is delayed from the original publication date, the more difficult it is to refute the allegations. The journalist could move on, contact with the original source material might be lost, memories blurred and notes, even those held digitally, mislaid. Complainants must have the right to complain, but there must be a balance with the time period when that can be done. A failure to have a period of limitation will surely be a chilling effect on the publication of information.
I welcome this Bill as an important advance in protecting privacy in the digital age, but I am concerned that some of its provisions do not yet strike the right balance between privacy and free speech. I ask the Minister to take my concerns seriously.
My Lords, I congratulate our Ministers and the Government on bringing this Bill to our House in this timely way. It is extremely technical—and herein lies a danger, because it is also very important and covers matters that can be expected to become even more important over time. We must therefore put aside the temptation to think that technical matters are somehow of lesser importance, simply because we do not fully understand them. I declare an interest as the Minister responsible when the EU parent of this Bill, the GDPR, was adopted. While I saw it as a necessary single market measure and a modernising one, there were a number of provisions that we could have done without, mostly introduced by the European Parliament, such as requiring a specific age of consent, which the Government have now proposed should be 13 in the UK, in line with the United States.
In contrast, as always, our UK approach is market opening. We want a competitive, growing Europe, and we want the digital revolution, with its subset artificial intelligence, to continue to stoke growth. But some in the EU have always been most concerned with giving citizens back control over their personal data, an issues that assumed particular importance following the release of documents involving Chancellor Merkel by WikiLeaks. To be fair, the UK has also in this case stated its wish to simplify the regulatory environment for business, and we need to make sure that that actually happens here in the UK. Committee will give us the chance to talk about the merits of the digital revolution and its darker side, which we touched on during the excellent debate led by the noble Baroness, Lady Lane-Fox. I shall not go over that ground again now, but I add one point to the story told by the noble Lord, Lord Mitchell: my Google Maps app now highlights the location of future engagements in my diary. So that is pretty challenging.
I shall touch as others have done on three concerns. According to the Federation of Small Businesses, the measures represent a significant step up in the scope of data protection obligations. High-risk undertakings could phase additional costs of £75,000 a year from the GDPR. The MoJ did an impact assessment in 2012, which is no doubt an underestimate, since it did not take account of the changes made by the European Parliament, which estimated the cost at £260 million in 2018-19 and £310 million by 2025-26. I am not even sure if that covers charities or public organisations or others who have expressed concerns to me about the costs and the duties imposed. Then there are the costs of the various provisions in the Bill, many levelling up data protection measures outside the scope of the GDPR. It is less confusing, I accept, but also more costly to all concerned.
The truth is that overregulation is a plague that hits productivity. Small businesses are suffering already from a combination of measures that are justified individually—pension auto-enrolment, business rates and the living wage—but together can threaten viability at a time of Brexit uncertainty. We must do all we can to come to an honest estimate of the costs and minimise the burden of the new measures in this legislation.
Also, I know that CACI, one of our leading market analysis companies working for top brands such as John Lewis and Vodafone, thinks that the provisions in the Bill are needlessly gold-plated. Imperial College has contacted me about the criminalisation of the re-identification of anonymised data, which it thinks will needlessly make more difficult the vital security work that it and others do.
The noble Lord, Lord Patel, and the noble Baroness, Lady Manningham-Buller, were concerned about being able to contact people at risk where scientific advance made new treatments available—a provision that surely should be covered by the research exemption.
The second issue is complication. It is a long and complicated Bill. We need good guidance for business on its duties—old and new, GDPR and Data Protection Bill—in a simple new form and made available in the best modern way: online. I suggest that—unlike the current ICO site—it should be written by a journalist who is an expert in social media. The Minister might also consider the merits of online training and testing in the new rules. I should probably declare an interest: we used it in 2011 at Tesco for the Bribery Act and at the IPO for a simple explanation of compliance with intellectual property legislation.
The third issue is scrutiny. I am afraid that, as is usual with modern legislation, there are wide enabling powers in the Bill that will allow much burdensome and contentious subordinate detail to be introduced without much scrutiny. The British Medical Association is very concerned about this in relation to patient confidentiality. Clause 15, according to the excellent Library Note, would allow the amendment or repeal of derogations in the Bill by an affirmative resolution SI, thereby shifting control over the legal basis for processing personal data from Parliament to the Executive. Since the overall approach to the Bill is consensual, this is the moment to take a stand on the issue of powers and take time to provide for better scrutiny and to limit the delegated powers in the Bill. Such a model could be useful elsewhere—not least in the Brexit process.
There are two other things I must mention on which my noble friend may be able to provide some reassurance. First, I now sit on the European Union Committee. I am sorry that duties there prevented me sitting through some of this important debate; we were taking important evidence on “no deal”. As the House knows, the committee is much concerned with the detail of Brexit. Data protection comes up a lot—almost as much as the other business concern, which is securing the continued flow of international talent. I would like some reassurance from my noble friend Lady Williams about the risks of Brexit in the data area. If there is no Brexit deal, will the measures that we are taking achieve equivalence—“adequacy”, in the jargon—so that we can continue to move data around? What international agreements on data are in place to protect us in the UK and our third-country investors? Under an agreed exit, which is my preference, is there a way that our regulator could continue to be part of the European data protection supervisory structure and attend the European Data Protection Board, as proposed by the noble Lord, Lord Jay of Ewelme, the esteemed interim chairman of our European Union Committee—or is that pie in the sky?
Secondly, there is a move among NGOs to add a provision for independent organisations to bring collective redress actions for data protection breaches. I am against this proposal. In 2015 we added such a provision to competition legislation—with some hesitation on my part. This provision needs to demonstrate its value before we add parallel provisions elsewhere. It is in everyone’s interests to have a vibrant economy, but business is already facing headwinds in many areas, notably because of the uncertainty surrounding Brexit. In future it will be subject to a much fiercer data protection enforcement regime under our proposals.
I have talked about the costs and others have mentioned the new duties and there will be maximum fines of up to 4% of turnover for data breaches, compared with £0.5 million at present. We certainly do not need yet another addition to the compensation culture. This could reduce sensible risk taking and perversely deter the good attitudes and timely actions to put things right that you see in responsible companies when they make a mistake. There is a real danger that the lawyers would get to take over in business and elsewhere and give the Bill a bad name. That would be unfortunate.
However, in conclusion, I welcome the positive aspects of this important Bill and the helpful attitude of our Ministers. I look forward to the opportunity of helping to improve it in its course through the House.
My Lords, as the last speaker before the winding speeches, I think it is my duty to be extremely brief, so I will try. We have had nearly 20 years of the Data Protection Act. We need this legislation because, if nothing else were the case, the United Kingdom will remain in the European Union on 18 May next year, which is the date of implementation of the new regulation, so we have to do something.
I will make a few rather sceptical remarks about the long-term viability of data protection approaches to protecting privacy. They have, of course, worked, or people have made great efforts to make them work, but I think the context in which they worked, at least up to a point, has become more difficult and they are less likely to work. The definition of personal data used in data protection approaches, and retained here, is data relating to a living individual who is identified, or can be identified, from the data. It is that modal idea of who can be identified that has caused persistent problems. Twenty years ago it was pretty reasonable to assume that identification could be prevented provided one could prevent either inadvertent or malicious disclosure, so the focus was on wrongful disclosure. However, today identification is much more often by inference and it is very difficult to see how inference is to be regulated.
The first time each of us read a detective story, he or she enjoyed the business of looking at the clues and suddenly realising, “Ah, I know whodunnit”. That inference is the way in which persons can be identified from data and, let us admit it, not merely from data that are within the control of some data controller. Data protection is after all in the end a system for regulating data controllers, combined with a requirement that institutions of a certain size have a data controller, so there is a lot that is outside it. However, if we are to protect privacy, there is, of course, reason to think about what is not within the control of any data controller. Today, vast amounts of data are outwith the control of any data controller: they are open data. Open data, as has been shown—a proof of concept from several years ago—can be fully anonymised and yet a process of inference can lead to the identification of persons. This is something we will have to consider in the future in thinking about privacy.
Moreover, throughout the period of data protection, one of the central requirements for the acceptable use of otherwise personal data has been that consent should be sought, yet the concepts of consent used in this area are deeply divisive and various. In commercial contexts, consent requirements are usually interpreted in fairly trivial ways. When we all download new software, we are asked to accept terms and conditions. This is called an end-user licence agreement. You tick and you click and you have consented to 45 pages of quite complicated prose that you did not bother to read and probably would not have understood if you had maintained attention for 45 pages. It does not much matter, because we have rather good consumer protection legislation, but there is this fiction of consent. However, at the other end of the spectrum, and in particular in a medical context, we have quite serious concepts of consent. For example, to name one medical document, the Helsinki Declaration of the World Medical Association contains the delicious thought that the researcher must ensure that the research participant has understood—then there is a whole list of things they have to understand, which includes the financial arrangements for the research. This is a fiction of consent of a completely different sort.
We should be aware that, deep down in this legislation, there is no level playing field at all. There are sectoral regimes with entirely different understandings of consent. We have, in effect, a plurality of regimes for privacy protection. Could we do otherwise or do better? I will not use any time, but I note that legislation that built on the principle of confidentiality, which is a principle that relates to the transfer of data from one party to another, might be more effective in the long run. It would of course have to be a revised account of confidentiality that was not tied to particular conceptions of professional or commercial confidentiality. We have to go ahead with this legislation now, but it may not be where we can stay for the long run.
My Lords, this has been an interesting, and for me at times a rather confusing, debate on the issues associated with the Bill. The Bill is complex, but I understand that it is necessarily complex. For example, under European law it is not allowed to reproduce the GDPR in domestic legislation. The incorporation of the GDPR into British law is happening under the repeal Bill, not under this legislation. Therefore, the elephant and the prints are in the other place rather than here.
We on these Benches welcome the Bill. It provides the technical underpinnings that will allow the GDPR to operate in the UK both before and after Brexit, together with the permitted derogations from the GDPR available to all EU member states. For that reason it is an enabling piece of legislation, together with the GDPR, which is absolutely necessary to allow the UK to continue to exchange data, whether it is done by businesses for commercial purposes or by law enforcement or for other reasons, once we are considered to be a third-party nation rather than a member of the European Union.
We also welcome the extension of the effect of the GDPR—the rules and regulations that the GDPR provides—to other areas that are currently covered by the Data Protection Act 1998 but which are outside the scope of the GDPR, thus, as far as I understand it, providing a consistent approach to data protection across the piece. This leaves law enforcement and national security issues outside of the scope of GDPR and the “applied GDPR”, which are covered in Parts 3 and 4.
The enforcement regime, the Information Commissioner, is covered in Part 5, because we will repeal the Data Protection Act 1998 and so we need to restate the role of the Information Commissioner as the person who will enforce, and we will need to explore concerns that we have in each part of the Bill as we go through Committee. However, generally speaking, we welcome the Bill and its provisions.
Of course, what the Government, very sensibly, are trying to do but do not want to admit, is to ensure that the UK complies with EU laws and regulations—in this case in relation to data protection—so that it can continue to exchange data with the EU both before and after Brexit. All this government hype about no longer being subject to EU law after Brexit is merely the difference between having to be subject to EU law because we are a member of the EU and having to be subject to EU law because, if we do not, we will not be able to trade freely with the EU or exchange crime prevention and detection intelligence, and counterterrorism intelligence, with the EU. That is the only difference.
For most aspects of data exchange, compliance with the GDPR is required. The GDPR is directly applicable, so it cannot simply be transposed into this Bill. Coupled with the derogations and applying the GDPR to other aspects of data processing not covered by the GDPR makes this part of the Bill complex—and, as I suggest, probably necessarily so.
For law enforcement purposes, data exchange is covered by an EU law enforcement directive, which can be, and has been, transposed to form Part 3 of the Bill as far as I understand it. A data protection regime for the processing of personal data by the intelligence services—in the case of the UK, MI5, MI6 and GCHQ —is covered by Council of Europe Convention 108. Part 4 of the Bill is based on a modernised draft of Convention 108, which has yet to be formally agreed, but this puts the UK in effect slightly ahead of the curve on that aspect of regulation.
Clearly, we need to probe and test the derogations allowed under the GDPR that are proposed in the Bill, particularly when hearing about the potential consequences, as outlined by, for example, the noble Viscount, Lord Colville of Culross. We also need to examine whether applying GDPR rules and regulations to other areas of data processing provides equivalent or enhanced safeguards compared with those provided by the Data Protection Act, and we need to ensure that the safeguards provided by the law enforcement directive and Council of Europe Convention 108 are provided by the Bill.
As regards our specific concerns, as my noble friend Lord McNally mentioned in his opening remarks and as reinforced by my noble friend Lady Ludford, if the Bill results in a refusal to allow not-for-profit bodies to exercise Articles 77 to 79 to pursue data protection infringements on their own accord, we will have to challenge that, but perhaps the Minister can clarify whether that is the case.
As my noble friend Lady Ludford also mentioned, along with the noble Baroness, Lady Jay of Paddington, various provisions to allow Ministers to alter the application of the GDPR by regulation is something that we need much further scrutiny of, albeit that Ministers’ hands are likely to be tied by the requirement to comply with changing EU law after Brexit—de facto even if not de jure. Could it be—perhaps the Minister can help us here—that the purpose of these powers, put into secondary legislation, is to enable the UK to keep pace with changes in EU law after Brexit?
Although we welcome the ability of individuals to challenge important wholly automated decisions, requiring human intervention at the request of the data subject, research shows that the application of algorithms and artificial intelligence, even in machine learning of language, can result in unfair discrimination. Even when human decision-making is informed by automated processes, safeguards still need to be in place to ensure fairness, such as transparency around what the automated processes involve. While decisions around personal finance, such as credit scoring and the assessment of insurance risk, are important, in the United States the application of algorithms in the criminal justice arena has resulted in unfair discrimination that has even more serious consequences for individuals. Even if such automated processes are yet to apply to the UK criminal justice system, the Bill must safeguard against future developments that may have unintended negative consequences.
As other noble Lords have said, we have concerns about the creation of a criminal offence of re-identification of individuals. As the noble Lord, Lord Arbuthnot of Edrom, said, criminalising re-identification could allow businesses to relax the methods that they use to try to anonymise data on the basis that people will not try to re-identify individuals because it is a criminal offence.
Despite what is contained in this Bill, we have serious concerns that there are likely to be delays to being granted data adequacy status by the European Commission when we leave the EU. That means that there would not be a seamless continuation of data exchange with the EU 27 after Brexit. We also have serious concerns, as does the Information Commissioner, that there are likely to be objections to being granted data adequacy status because of the bulk collection of data allowed for under the Investigatory Powers Act, as the noble Lord, Lord Stevenson of Balmacara, said in his opening remarks. We also intend to revisit the issue of the requirement under international human rights law, and upheld by the European Court of Human Rights in 2007, that as soon as notification can be made without prejudicing the purpose of surveillance after its termination, information should be provided to the persons concerned.
As the noble Baroness, Lady Lane-Fox, mentioned, it is essential that the Information Commissioner is provided with adequate resources. My understanding is that there has been a considerable loss of staff in recent times, not least because commercial organisations want to recruit knowledgeable staff to help them with the implementation of GDPR, plus the 1% cap on public sector pay has diminished the number of people working for the Information Commissioner. It is absolutely essential that she has the resources she needs, bearing in mind the additional responsibilities that will be placed upon her.
The age of consent will clearly be an interesting topic for discussion. What we are talking about here is at what age young people should be allowed to sign up to Facebook or other social media. Most of us would acknowledge that children have a greater knowledge and are more computer literate than their parents and grandparents. As one of the surveys mentioned this evening showed, it would be very easy for young people to circumvent rules around the age of consent as set in legislation. For example, any teenager would know how to make the internet believe that they were in the United States when they were physically in the United Kingdom, and therefore they would have to comply only with any age of consent set in America. While I understand the burning desire for people to protect children and ensure that they are not exploited through social media, one has to live in the real world and look for solutions that are actually going to work: for example, educating young people on how to avoid being groomed online and the dangers of social media, and informing parents about how they can keep an eye on their children’s activities, rather than trying to set an unrealistic target for the age at which someone could sign up.
Finally, the noble Lord, Lord Mitchell, talked about the data privately stored on iPhones, which was informative. Last week, I was rather shocked when, in California, I went to a gym that was rather busy. I looked on Google Maps, which very helpfully informed me when the busiest times were in that particular gym on that particular day. I found that very useful, but I found it very frightening that it also told me that I had been at that gym three hours before.
My Lords, we welcome the Bill generally and support the main principles, but that is not to say that we do not have issues that we intend to raise during the passage of the Bill where we believe that improvements could be made. We will certainly test the Government’s assertion that the Bill will ensure that we can be confident that our data is safe as we make the transition into a future digital world.
My noble friend Lord Knight of Weymouth highlighted some of the challenges that we face in the use of data, the consent that we give and how we can have greater control—or, in fact, any control at all—as data and the use of data grow exponentially. In his contribution, the noble Lord, Lord Marlesford, highlighted the complexity of these matters. That is the problem—the constant growth in complexity and our ability to understand the changes as they run away with themselves. We are aware that there will be a number of government amendments to the Bill. When we see those, we will be able to take a view on them. But the fact that we can expect such a large number at this early stage of the Bill makes one wonder how prepared the Government are for this new challenge.
The broad aim of the Bill is to update the UK’s data protection regime in accordance with the new rules, as agreed at European level. It is important as we prepare to leave the European Union that we have strong, robust laws on data protection that ensure that we have up-to-date legislation that is on a par with the best in the world to protect individuals, businesses and the UK as a whole and to play our part in ensuring that the UK remains a place where it is difficult for criminals to operate. As the noble Lord, Lord Jay, said in his contribution covering the report of the European Union Home Affairs Sub-Committee, the amount of cross-border data flows to the UK cannot be overstated, with services accounting for 44% of the UK’s total global exports and three-quarters of the UK’s cross-border data flows being with other EU countries. The UK must remain a place where people and organisations all over the world want to do business and a place that has safety and robust protection at its heart.
The noble Baroness, Lady Lane-Fox of Soho, made important points about the need for the UK to be the best and safest place in the world to trade online. Her contribution to debates in your Lordships’ House to make the Bill the best it can be will be of vital importance as the Bill makes progress. The noble Baroness is right that a lot of education is needed to prepare the public and business for the changes.
The concerns of business must be taken into account. When the noble Baroness, Lady Williams of Trafford, responds to the debate, I hope she will refer to the concerns expressed by small businesses. In particular, will she explain what plans the Government have to ensure that small businesses are aware of the changes and the action that they need to take? These are the sorts of businesses that are the backbone of the country. They are not able to employ expensive lawyers or have compliance departments to advise them on the action that needs to be taken. We need a targeted awareness campaign from the Government and the regulator and small-business-friendly support and guidance rolled out in good time so that the necessary changes can be made. I fully understand the concerns that businesses have in this regard and the Government must respond to those positively.
The Bill implements the general data protection regulation—GDPR—standards across all general data processing and the Opposition support that. As we have heard in the debate, the UK will need to satisfy the European Commission that our legislative framework ensures an adequate level of protection. The Commission will need to be satisfied on a wide variety of issues to give a positive advocacy decision, and when we leave the European Union we will still have to satisfy the high adequacy standards to ensure that we can trade with the European Union and the world. Those too are matters that we will test in Committee.
Important principles of lawfulness in obtaining data and the consent of individuals to their data being held are set out in the Bill. My noble friend Lady Jay of Paddington made important points about how to achieve a better-educated public about the use of their data, the media and online literacy, and the risks to them of the abuse of their data.
The additional GDPR rights which strengthen and add to an individual’s rights, as set out in the Data Protection Act 1998, are a positive step forward. We have all seen examples of people’s data being held unlawfully and the measures in this Bill should help in that respect. There is also the issue of data held about all of us that is confidential, such as medical and health data, and ensuring that it is processed in a confidential way is something we would all support, alongside the proper use of health data to combat disease and improve healthcare through proper research. A number of noble Lords have made reference to that, and certainly nothing should be done which would endanger research that saves lives.
The right to be forgotten is an important concept, particularly where the consent was given as a child, although we will want to probe why the right of erasure of personal data is restricted to 18 years and above, particularly when the consent may have been given when the individual was 13 years of age. Cyberbullying is a dreadful experience for anyone and it is important that we are very clear during the passage of the legislation on how people are able to protect themselves from this abuse. The Bill will formalise the age at which a child can consent to the processing of data at 13 years in the UK, which is the lowest possible age in the EU. The right reverend Prelate the Bishop of Chelmsford referred to this point in his contribution and I agree with him about the need for further consultation with parents and the public, a point also made by the noble Baroness, Lady Howe.
The noble Baroness, Lady Kidron, made an excellent contribution and she is right to say that children are no match for a number of the very powerful tech companies. I too read carefully the briefings from the Children’s Society and YoungMinds on this matter. All the major online platforms have a minimum user age of 13, although the vast majority of young people—some 73% according to the survey—have their first social media account before they are 13. This is an issue that will rightly get a lot of attention from noble Lords. On reading the briefing note I could see the point being made that setting the age at 16 could have an adverse effect in tackling grooming, sexual exploitation and abuse. If we wanted to go down the route of increasing the age when someone can consent to the use of their personal data, we must at the same time make significant changes to the grooming and sexual offences legislation, again a point made by the noble Baroness, Lady Howe, in her remarks. It would be wrong to make this change in isolation because it actually risks making the online world more dangerous for young people.
In responding to the debate, will the noble Baroness, Lady Williams of Trafford, set out how the Government decided that 13 was the appropriate age of consent for children to access social media and does she believe, as I do, that the social media companies need to do much more to protect children when they are online? What consultation did the Government undertake before deciding that 13 years was the correct age, a question put by many noble Lords in the debate?
There are also the important issues of protecting vulnerable people in general, not only children but the elderly as well. As my noble friend Lord Stevenson of Balmacara said, the Government have an opportunity to allow independent organisations acting in the public interest to bring collective redress actions or super-complaints for breaches in data protection rules. They have not done so, and this may be an error on their part as the super-complaint system works well in other fields. It would enable an effective system of redress for consumers to be put in place. It could also be contended that just having such a system in place would have a positive effect in terms of organisations making sure that they are compliant and not tempted to cut corners, and generally make for a stronger framework.
The Opposition support the approach of transposing the law enforcement directive into UK law through this Bill. It is important that we have consistent standards across specific law enforcement activities. In the briefing, the Information Commissioner raised the issue of overview and scope as detailed in Clause 41. It would be helpful, when responding to the debate, if the Minister could provide further clarification in respect of the policy intention behind the restriction on individuals being able to approach the Information Commissioner to exercise their rights.
The processing of personal data by the intelligence services is of the utmost importance. Keeping their citizens safe is the number one priority of the Government. We need to ensure that our intelligence services have the right tools and are able to work within modern international standards, including the required safeguards, so that existing, new and emerging threats to the safety and security of the country are met. These are fine lines and it is important that we get them right.
The point made by a number of noble Lords, including the noble Lord, Lord Jay, and the noble Baroness, Lady Ludford, that our position as a third country on leaving the EU may leave us subject to meeting a higher threshold is a matter for concern. I hope the noble Baroness, Lady Williams, will respond to that specific point when she replies to the debate.
The Information Commissioner having an independent authority responsible for regulating the GDPR—which will also act as the supervisory authority in respect of the law enforcement provisions as set out in Part 3 of the Bill—is welcome, as is the designation of the commissioner as the authority under Convention 108. I welcome the proposal to consult the commissioner on legislation and other measures that relate to data processing. The commissioner has an important international role and I fully support her playing a role in the various EU bodies she engages with, up until the point when we leave the EU. We must also be satisfied in this House that we have sufficiently robust procedures in place so that we will work closely with our EU partners after we have left the EU. Failure to do so could have serious repercussions for the UK as a whole, our businesses and our citizens. Data flows in and out of the UK are a complex matter and the regulator needs authority when dealing with others beyond the UK. That is something we will have to test carefully as the Bill passes through your Lordships’ House.
The clauses of the Bill in respect of enforcement are generally to be welcomed. It is important that the commissioner retains the power to ensure data is properly protected. I agree very much with the noble Lord, Lord McNally, about the importance of ensuring that the Information Commissioner remains adequately funded. It is right that those powers are used proportionally in relation to the specific matters at hand, using, where appropriate, non-criminal enforcement, financial penalties and, where necessary, criminal prosecution. As I said, we need a proper programme of information to ensure that small businesses in particular are ready for the changes and new responsibilities they will take on.
One of the issues we have to address is the challenge that technology brings and how our legislation will remain fit for purpose and accepted by other competent authorities outside our jurisdiction—particularly by the European Union after we leave it.
In conclusion, this in an important Bill. As the Opposition, we can support its general direction, but we have concerns about the robustness of what is proposed. We will seek to probe, challenge and amend the Bill to ensure that it really does give us the legalisation the UK needs to protect its citizens’ data and its lawful use.
My Lords, this has been a lengthy but excellent debate. I very much welcome the broad support from across the House for the Bill’s objectives; namely, that we have a data protection framework that is fit for the digital age, supports the needs of businesses, law enforcement agencies and other public sector bodies, and—as the noble Lord, Lord Kennedy, said—safeguards the rights of individuals in the use of their personal data.
In bringing the Bill before your Lordships’ House at this time, it is fortunate that we have the benefit of two recent and very pertinent reports from the Communications Committee and the European Union Committee. Today’s debate is all the better for the insightful contributions we have heard from a number of members of those committees, namely the noble Lord, Lord Jay, the noble Viscount, Lord Colville, the noble Baroness, Lady Kidron, the right reverend Prelate the Bishop of Chelmsford and my noble friend Lady Neville-Rolfe.
In its report Growing Up with the Internet, the Communications Committee noted with approval the enhanced rights that the GDPR would confer on children, including the right to be forgotten, and asked for those rights to be enshrined in UK law as a minimum standard. I am pleased to say the Bill does just that. The European Union Committee supported the Government’s objective to maintain the unhindered and uninterrupted flow of data with other member states following the UK’s exit from the EU. Understandably, the committee pressed the Government to provide further details of how that outcome will be achieved.
With the provisions in the Bill, the UK starts from an unprecedented point of alignment with the EU in terms of the legal framework underpinning the exchange and protection of personal data. In August, the Government set out options for the model for protecting and exchanging personal data. That model would allow free flows of data to continue between the EU and the UK and provide for ongoing regulatory co-operation and certainty for businesses, public authorities and individuals. Such an approach is made possible by the strong foundations laid by the provisions in the Bill.
In other contributions to this debate, we have had the benefit of a wide range of experiences, including from noble Lords who are able to draw on distinguished careers in business, education, policing or the Security Service. In doing so, noble Lords raised a number of issues. I will try to respond to as many of those as I can in the time available, but if there are specific points, as I am sure there will be, that I cannot do justice to now, both my noble friend Lord Ashton and I will of course follow up this debate with a letter.
A number of noble Lords, including the noble Lord, Lord Kennedy, the noble Baroness, Lady Lane-Fox, and my noble friend Lady Neville-Rolfe, asked whether the Bill was too complex. It was suggested that data controllers would struggle to understand the obligations placed on them and data subjects to understand and access their rights. As the noble Lord, Lord Paddick, said, the Bill is necessarily so, because it provides a complete data protection framework for all personal data. Most data controllers will need to understand only the scheme for general data, allowing them to focus just on Part 2. As now, the Information Commissioner will continue to provide guidance tailored to data controllers and data subjects to help them understand the obligations placed on them and exercise their rights respectively. Indeed, she has already published a number of relevant guidance documents, including—the noble Lord, Lord Kennedy, will be interested to know this—a guide called Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now. It sounds like my type of publication.
Other noble Lords rightly questioned what they saw as unnecessary costs on businesses. My noble friends Lord Arbuthnot and Lady Neville-Rolfe and the noble Lord, Lord Kennedy, expressed concern that the Bill would impose a new layer of unnecessary regulation on businesses—for example, in requiring them to respond to subject access requests. Businesses are currently required to adhere to the Data Protection Act, which makes similar provision. The step up to the new standards should not be a disproportionate burden. Indeed, embracing good cybersecurity and data protection practices will help businesses to win new customers both in the UK and abroad.
A number of noble Lords, including the noble Lord, Lord Jay, asked how the Government would ensure that businesses and criminal justice agencies could continue, uninterrupted, to share data with other member states following the UK’s exit from the EU. The Government published a “future partnership” paper on data protection in August setting out the UK’s position on how to ensure the continued protection and exchange of personal data between the UK and the EU. That drew on the recommendations of the very helpful and timely report of the European Union Committee, to which the noble Lord referred. For example, as set out in the position paper, the Government believe that it would be in our shared interest to agree early to recognise each other’s data protection frameworks as the basis for continued flow of data between the EU and the UK from the point of exit until such time as new and more permanent arrangements came into force. While the final arrangements governing data flows are a matter for the negotiations—I regret that I cannot give a fuller update at this time—I hope that the paper goes some way towards assuring noble Lords of the importance that the Government attach to this issue.
The noble Baroness, Lady Kidron, queried the status of Article 8 of the European Charter of Fundamental Rights, which states:
“Everyone has the right to the protection of personal data concerning him or her”.
The Bill will ensure that the UK continues to provide a world-class standard of data protection both before and after we leave the European Union.
Several noble Lords, including the noble Lord, Lord Paddick, in welcoming the Bill asked whether the Information Commissioner would have the resource she needs to help businesses and others prepare for the GDPR and LED and to ensure that the new legislation is properly enforced, especially once compulsory notification has ended. The Government are committed to ensuring that the Information Commissioner is adequately resourced to fulfil both her current functions under the Data Protection Act 1998 and her new ones. Noble Lords will note that the Bill replicates relevant provisions of the Digital Economy Act 2017, which ensures that the Information Commissioner’s functions in relation to data protection continue to be funded through charges on data controllers. An initial proposal on what those changes might look like is currently being consulted upon. The resulting regulations will rightly be subject to parliamentary scrutiny in due course.
Almost every noble Lord spoke in one way or another about protecting children online, particularly the noble Baroness, Lady Kidron, and the right reverend Prelate the Bishop of Chelmsford, who referred to the Select Committee on Communications report Growing Up with the Internet. The focus of that report was on addressing concerns about the risk to children from the internet. The Government believe that Britain should be the safest place in the world to go online and we are determined to make that a reality. I am happy to confirm that the Government will publish an internet safety strategy Green Paper imminently. This will be an important step forward in tackling this crucial issue. Among other things, the Green Paper will set out plans for an online code of practice that we want to see all social media companies sign up to, and a plan to ensure that every child is taught the skills they need to be safe online.
The other point that was brought up widely, including by the noble Lord, Lord Kennedy, was whether it was appropriate for 13 year-olds to be able to hand over their personal data to social media companies without parental consent. We heard alternative perspectives from my noble friend Lord Arbuthnot and the noble Baroness, Lady Lane-Fox. Addressing the same clause, the right reverend Prelate the Bishop of Chelmsford questioned the extent to which the Government had consulted on this important issue. The noble Baroness, Lady Howe, and the noble Lord, Lord Kennedy, made a similar point. In answer to their specific questions, 170 organisations and numerous individuals responded to the Government’s call for views, published in April, which addressed this issue directly. The Government’s position reflects the responses received. Importantly, it recognises the fundamental role that the internet already plays in the lives of teenagers. While we need to educate children on the risks and to work with internet companies to keep them safe, online platforms and communities provide children and young people with an enormous educational and social resource, as the noble Baroness, Lady Lane-Fox, pointed out. It is not an easy balance to strike, but I am convinced that, in selecting 13, the Government has made the right choice and one fully compatible with the UN Convention on the Rights of the Child, to which the noble Lord, Lord Stevenson, referred.
The noble Baronesses, Lady Jay and Lady Hamwee, stressed the importance of adequate understanding of digital issues, particularly among children. Improving digital skills is a priority of the Government’s digital strategy, published earlier this year. As noble Lords will be aware, the Digital Economy Act created a new statutory entitlement to digitals skills training, which is certainly an important piece of the puzzle. As I have already said, the Government will publish a comprehensive Green Paper on internet safety imminently which will explore further how to develop children’s digital literacy and provide support for parents and carers.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Paddick, I think it was, asked about the Government choosing not to exercise the derogation in article 80 of the GDPR to allow not-for-profit organisations to take action on behalf of data subjects without their consent. This is a very important point. It is important to note that not-for-profit organisations will be able to take action on behalf of data subjects where the individuals concerned have mandated them to do so. This is an important new right for data subjects and should not be underestimated.
The noble Baroness, Lady Manningham-Buller, the noble Lords, Lord Kennedy and Lord Patel, and my noble friend Lady Neville-Jones all expressed concern about the effect that safeguards provided in the Bill might have on certain types of long-term medical research, such as clinical trials and interventional research. My noble friend pointed out that such research can lead to measures or decisions being taken about individuals but it might not be possible to seek their consent in every case. The noble Lord, Lord Patel, raised a number of related issues, including the extent of Clause 7. I assure noble Lords that the Government recognise the importance of these issues. I would be very happy to meet noble Lords and noble Baronesses to discuss them further.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Patel, noted that the Bill is not going to be used to place the National Data Guardian for Health and Social Care on a statutory footing. I assure them that the Government are committed to giving the National Data Guardian statutory force. A Bill to this end was introduced in the House of Commons on 5 September by my honourable friend Peter Bone MP, and the Government look forward to working with him and parliamentary colleagues over the coming months.
My noble friend Lord Arbuthnot and others questioned the breadth of delegated powers provided for in Clause 15, which allows the Secretary of State to use regulations to permit organisations to process personal data in a wider range of circumstances where needed to comply with a legal obligation, to perform a task in the public interest or in the exercise of official authority. Given how quickly technology evolves and the use of data can change, there may be occasions when it is necessary to act relatively quickly to provide organisations with a legal basis for a particular processing operation. The Government believe that the use of regulations, rightly subject to the affirmative procedure, is entirely appropriate to achieve that. But we will of course consider very carefully any recommendations made on this or any other regulation-making power in the Bill by the Delegated Powers and Regulatory Reform Committee, and I look forward to seeing its report in due course.
The noble Viscount, Lord Colville, queried the role of the Information Commissioner in relation to special purposes processing, including in relation to journalism. In keeping with the approach taken in the 1998 Act, the Bill provides for broad exemptions when data is being processed for journalism, where the controller reasonably believes that publication is in the public interest. I reassure noble Lords that the Information Commissioner’s powers, as set out in Clause 164, are tightly focused on compliance with these requirements and not on media conduct more generally. There is a right of appeal to ensure that the commissioner’s determination can be challenged. This is an established process which the Bill simply builds upon.
The noble Lord, Lord Black, questioned the power given to the Information Commissioner to assist a party or prospective party in special purposes proceedings. In this sense, “special purposes” refers to journalistic, literary, artistic or academic purposes. The clause in question, Clause 165, replicates the existing provision in Section 53 of the 1998 Act. It simply reflects the potential public importance of a misuse of the otherwise vital exemptions granted to those processing personal data for special purposes. In practice, I am not aware of the commissioner having provided such assistance but the safeguard is rightly there.
The noble Lord, Lord Janvrin, spoke eloquently about the potential impact of the Bill on museums and archives. The Government agree about the importance of this public function. It is important to note that the Data Protection Act 1998 made no express provision relating to the processing of personal data for archiving purposes. In contrast, the Bill recognises that archives may need to process sensitive personal data, and there is a specific condition to allow for this. The Bill also provides archives with specific exemptions from certain rights of data subjects, such as rights to access and rectify data, where this would prevent them fulfilling their purposes.
The noble Lord, Lord Knight, queried the safeguards in place to prevent the mining of corporate databases for other, perhaps quite distinct, purposes, and the noble Lord, Lord Mitchell, made a similar point. I can reassure them that any use of personal data must comply with the relevant legal requirements. This would include compliance with the necessary data protection principles, including purpose limitation. These principles will be backed by tough new rules on transparency and consent that will ensure that once personal data is obtained for one purpose it cannot generally be used for other purposes without the data subject’s consent.
My noble friend Lord Marlesford raised the desirability of a central system of unique identifying numbers. The Bill will ensure that personal data is collected only for a specific purpose, that it is processed only where there is a legal basis for so doing and that it is always used proportionately. It is not clear to me that setting out to identify everybody in the same way in every context, with all records held centrally, is compatible with these principles. Rather, this Government believe that identity policy is context-specific, that people should be asked to provide only what is necessary, and that only those with a specific need to access data should be able to do so. The Bill is consistent with that vision.
I look forward to exploring all the issues that we have discussed as we move to the next stage. As the Information Commissioner said in her briefing paper, it is vital that the Bill reaches the statute book, and I look forward to working with noble Lords to achieve that as expeditiously as possible. Noble Lords will rightly want to probe the detailed provisions in the Bill and subject them to proper scrutiny, as noble Lords always do, but I am pleased that we can approach this task on the basis of a shared vision; namely, that of a world-leading Data Protection Bill that is good for business, good for the law enforcement community and good for the citizen. I commend the Bill to the House.
Bill read a second time and committed to a Committee of the Whole House.
Brexit: Data Protection (EU Committee Report)
Motion to Take Note
That this House takes note of the Report from the European Union Committee Brexit: EU Data Protection Package (3rd Report, HL Paper 7)
House adjourned at 10.08 pm.