Skip to main content

Data Protection and Digital Information Bill

Volume 837: debated on Wednesday 17 April 2024

Committee (5th Day)

Scottish, Welsh and Northern Ireland Legislative Consent sought.

Clause 44: Complaints to controllers

Debate on whether Clause 44 should stand part of the Bill.

My Lords, I start today with probably the most innocuous of the amendments, which is that Clause 44 should not stand part. Others are more significant, but its purpose, if one can describe it as such, is as a probing clause stand part, to see whether the Minister can explain the real motive and impact of new Section 164A, which is inserted by Clause 44. As the explanatory statement says, it appears to hinder

“data subjects’ right to lodge complaints, and extends the scope of orders under Section 166 of the Data Protection Act to the appropriateness of the Commissioner’s response to a complaint.”

I am looking to the Minister to see whether he can unpack the reasons for that and what the impact is on data subjects’ rights.

More fundamental is Amendment 153, which relates to Clause 45. This provision inserts new Section 165A into the Data Protection Act, according to which the commissioner would have the discretion to refuse to act on a complaint if the complainant did not try to resolve the infringement of their rights with the relevant organisation and at least 45 days have passed since then. The right to an effective remedy constitutes a core element of data protection—most individuals will not pursue cases before a court, because of the lengthy, time- consuming and costly nature of judicial proceedings—and acts as a deterrent against data protection violations, in so far as victims can obtain meaningful redress. Administrative remedies are particularly useful, because they focus on addressing malpractice and obtaining meaningful changes in how personal data is handled in practice.

However, the ICO indicates that in 2021-22 it did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only four GDPR fines, totalling just £633,000, despite the fact that it received over 40,000 data subject complaints. Moreover, avenues to challenge ICO inaction are extremely limited. Scrutiny of the information tribunal has been restricted to a purely procedural as opposed to a substantive nature. It was narrowed even further by the Administrative Court decision, which found that the ICO was not obliged to investigate each and every complaint.

Amendment 153 would remove Clause 45. The ICO already enjoys a wide margin of discretion and little accountability for how it handles complaints. In light of its poor performance, it does not seem appropriate to expand the discretion of the new information commission even further. It would also extend the scope of orders under Section 166 of the Data Protection Act to the appropriateness of the commissioner’s response to a complaint. This would allow individuals to promote judicial scrutiny over decisions that have a fundamental impact into how laws are enforced in practice and it would increase the overall accountability of the new information commission.

We have signed Amendment 154, in the name of the noble Baroness, Lady Jones, and I look forward to hearing what she says on that. I apologise for the late tabling of Amendments 154A to 154F, which are all related to Amendments 155 and 175. Clause 47 sets out changes in procedure in the courts, in relation to the right of information of a data subject under the 2018 Act, but there are other issues that need resolving around the jurisdiction of the courts and the Upper Tribunal in data protection cases. That is the reason for tabling these amendments.

The High Court’s judgment in the Delo v ICO case held that part of the reasoning in Killock and Veale about the relative jurisdiction of the courts and tribunals was wrong. The Court of Appeal’s decision in the Delo case underlines concerns, but does not properly address the jurisdictions’ limits in Sections 166 and 167 of the 2018 Act, regarding the distinction between determining procedural failings or the merits of decisions by the ICO. Surely jurisdiction under these sections should be in either the courts or the tribunals, not both. In the view of many, including me, it should be in the tribunals. That is what these amendments seek.

It is clear from these two judgments that there was disagreement on the extent of the jurisdiction of tribunals and courts, notably between Mrs Justice Farbey and Mr Justice Mostyn. The commissioner submitted very different submissions to the Upper Tribunal, the High Court and the Court of Appeal, in relation to the extent and limits of Sections 166 and 167. It is not at all clear what Parliament’s intentions were, when passing the 2018 Act, on the extents and limits of the powers in these sections and whether the appropriate source of redress is a court or tribunal.

This has resulted in jurisdictional confusion. A large number of claims have been brought in either the courts or the tribunals, under either Section 166 or Section 167, and the respective court or tribunal has frequently ruled that the claim should have been made under the other section and it therefore does not have jurisdiction, so that the claim is struck out. The Bill offers a prime opportunity to resolve this issue.

Clause 45(5), which creates new Section 166A, would only blur the lines even more and fortify the reasoning for the claim to be put into the tribunals, rather than the courts. These amendments would give certainty to the courts and tribunals as to their powers and would be much less confusing for litigants in person, most of whom do not have the luxury of paying hundreds of thousands in court fees. This itself is another reason for this to remain in the tribunals, which do not charge fees to issue proceedings.

The proposed new clause inserted by Amendment 287 would require the Secretary of State to exercise powers under Section 190 of the 2018 Act to allow public interest organisations to raise data protection complaints on behalf of individuals generally, without the need to obtain the authorisation of each individual being represented. It would therefore implement Article 80(2) of the GDPR, which provides:

“Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing”.

The intention behind Article 80(2) is to allow appropriately constituted organisations to bring proceedings concerning infringements of the data protection regulations in the absence of the data subject. That is to ensure that proceedings may be brought in response to an infringement, rather than on the specific facts of an individual’s case. As a result, data subjects are, in theory, offered greater and more effective protection of their rights. Actions under Article 80(2) could address systemic infringements that arise by design, rather than requiring an individual to evidence the breaches and the specific effects to them.

At present, an affected individual—a data subject—is always required to bring a claim or complaint to a supervisory authority. Whether through direct action or under Section 187 of the 2018 Act, a data subject will have to be named and engaged. In practice, a data subject is not always identifiable or willing to bring action to address even the most egregious conduct.

Article 80(2) would fill a gap that Article 80(1) and Section 187 of the Data Protection Act are not intended to fill. Individuals can be unwilling to seek justice, exercise their rights and lodge data protection complaints on their own, either for fear of retaliation from a powerful organisation or because of the stigma that may be associated with the matter where a data protection violation occurred. Even a motivated data subject may be unwilling to take action due to the risks involved. For instance, it would be reasonable for that data subject not to want to become involved in a lengthy, costly legal process that may be disproportionate to the loss suffered or remedy available. This is particularly pressing where the infringement concerns systemic concerns rather than where an individual has suffered material or non-material damage as a result of the infringement.

Civil society organisations have long helped complainants navigate justice systems in seeking remedies in the data protection area, providing a valuable addition to the enactment of UK data protection laws. My Amendment 287 would allow public interest organisations to lodge representative complaints, even without the mandate of data subjects, to encourage the filing of well-argued, strategically important cases with the potential to improve significantly the data subject landscape as a whole. This Bill is the ideal opportunity for the Government to implement fully Article 80(2) of the GDPR from international law and plug a significant gap in the protection of UK citizens’ privacy.

In effect, this is unfinished business from our debates on the 2018 Act, when we made several attempts to persuade the Government of the merits of introducing the rights under Article 80(2). I hope that the Government will think again. These are extremely important rights and are available in many other countries governed by a similar GDPR. I beg to move.

My Lords, as a veteran of the 2018 arguments on Article 80(2), I rise in support of Amendment 287, which would see its implementation.

Understanding and exercising personal data rights is not straightforward. Even when the rights are being infringed, it is rare that an individual data subject has the time, knowledge or ability to make a complaint to the ICO. This is particularly true for vulnerable groups, including children and the elderly, disadvantaged groups and other groups of people, such as domestic abuse survivors or members of the LGBTQ community, who may have specific reasons for not identifying themselves in relation to a complaint. It is a principle in law that a right that cannot be activated is not fully given.

A data subject’s ability to claim protection is constrained by a range of factors, none of which relates to the validity of their complaint or the level of harm experienced. Rather, the vast majority are prevented from making a complaint by a lack of expertise, capacity, time and money; by the fact that they are not aware that they have data rights; or by the fact that they understand neither that their rights have been infringed nor how to make a complaint about them.

I have considerable experience of this. I remind the Committee that I am chair of the 5Rights Foundation, which has raised important and systemic issues of non-compliance with the AADC. It has done this primarily by raising concerns with the ICO, which has then undertaken around 40 investigations based on detailed submissions. However, because the information is not part of a formalised process, the ICO has no obligation to respond to the 5Rights Foundation team, the three-month time limit for complaints does not apply and, even though forensic work by the 5Rights Foundation identified the problem, its team is not consulted or updated on progress or the outcome—all of which would be possible had it submitted the information as a formal complaint. I remind the Committee that in these cases we are talking about complaints involving children.

Article 80(2) has important implications for the ability of a small, highly specialised civil society organisation to take action. The challenge and resource intensity to manage appropriately a child and their family or guardian through what is generally a long and drawn-out process is a major barrier to justice. Rightly, safeguarding and ensuring the privacy and well-being of a child is the paramount issue, but the issue raised is almost always relevant to all children, or a wide group of them—not just to a single child who has been forced into the position of poster child for a particular issue.

Giving a highly specialised civil society organisation the right to act on behalf of all children would provide a much simpler and more effective way to raise and resolve systemic risk, and this is obviously the case for other user groups. A formal relationship with the regulator would allow for better use of both the regulator and the NGO’s resources as the action and the learning would be transparent. The costs and evidentiary burden to show the nature of data protection infraction would lie with the complainant organisation, so there would still be a high bar of quality in the complaints process. Indeed, expert organisations are better placed to describe non-compliance, and it would prevent revictimising or overburdening a child if the law enabled expert groups to act on behalf of all children, or indeed any identified group being let down.

The noble Lord, Lord Clement-Jones, made an excellent case and, for the reasons given, I support his amendment.

My Lords, I listened carefully to the explanation given by the noble Lord, Lord Clement-Jones, for his stand part notice on Clause 44. I will have to read Hansard, as I may have missed something, but I am not sure I am convinced by his arguments against Clause 44 standing part. He described his stand part notice as “innocuous”, but I am concerned that if the clause were removed it would have a slightly wider implication than that.

We feel that there are some advantages to how Clause 44 is currently worded. As it stands, it simply makes it clear that data subjects have to use the internal processes to make complaints to controllers first, and then the controller has the obligation to respond without undue delay. Although this could place an extra burden on businesses to manage and reply to complaints in a timely manner, I would have thought that this was a positive step to be welcomed. It would require controllers to have clear processes in place for handling complaints; I hope that that in itself would be an incentive against their conducting the kind of unlawful processing that prompts complaints in the first place. This seems the best practice, which would apply anyway in most organisations and complaint and arbitration systems, including, perhaps, ombudsmen, which I know the noble Lord knows more about than I do these days. There should be a requirement to use the internal processes first.

The clause makes it clear that the data subject has a right to complain directly to the controller and it makes clear that the controller has an obligation to respond. Clause 45 then goes on to make a different point, which is that the commissioner has a right to refuse to act on certain complaints. We touched on this in an earlier debate. Clearly, to be in line with Clause 44, the controller would have to have finished handling the case within the allotted time. We agree with that process. However, an alternative reason for the commissioner to refuse is when the complaint is “vexatious or excessive”. We have rehearsed our arguments about the interpretation of those words in previous debates on the application of subject access requests. I do not intend to repeat them here, but our concern about that wording rightly remains. What is important here is that the ICO should not be able to reject complaints simply because the complainant is distressed or angry. It is helpful that the clause states that in these circumstances,

“the Commissioner must inform the complainant”

of the reasons it is considered vexatious or excessive. It is also helpful that the clause states that this

“does not prevent the complainant from making it a complaint again”,

presumably in a way more compliant with the rules. Unlike the noble Lord, Lord Clement Jones—as I said, I will look at what he said in more detail—on balance, we are content with the wording as it stands.

On a slightly different tack, we have added our name to Amendment 154, in the name of the noble Lord, Lord Clement-Jones, and we support Amendment 287 on a similar subject. This touches on a similar principle to our previous debate on the right of data communities to raise data-breach complaints on behalf of individuals. In these amendments, we are proposing that there should be a collective right for organisations to raise data-breach complaints for individuals or groups of individuals who do not necessarily feel sufficiently empowered or confident to raise the complaints on their own behalf. There are many reasons why this reticence might occur, not least that the individuals may feel that making a complaint would put their employment on the line or that they would suffer discrimination at work in the future. We therefore believe that these amendments are important to widen people’s access to work with others to raise these complaints.

Since these amendments were tabled, we have received the letter from the Minister that addresses our earlier debate on data communities. I am pleased to see the general support for data intermediaries that he set out in his letter. We argue that a data community is a separate distinct collective body, which is different from the wider concept of data intermediaries. This seems to be an area in which the ICO could take a lead in clarifying rights and set standards. Our Amendment 154 would therefore set a deadline for the ICO to do that work and for those rights to be enacted.

The noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, made a good case for broadening these rights in the Bill and, on that basis, I hope the Minister will agree to follow this up, and follow up his letter so that we can make further progress on this issue.

The noble Lord, Lord Clement-Jones, has tabled a number of amendments that modify the courts and tribunals functions. I was hoping that when I stood here and listened to him, I would understand a bit more about the issues. I hope he will forgive me for not responding in detail to these arguments. I do not feel that I know enough about the legal background to the concerns but he seems to have made a clear case in clarifying whether the courts or tribunals should have jurisdiction in data protection issues.

On that basis, I hope that the Minister will also provide some clarification on these issues and I look forward to his response.

My Lords, I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for tabling these amendments to Clauses 44 and 45, which would reform the framework for data protection complaints to the Information Commissioner.

The noble Lord, Lord Clement-Jones, has given notice of his intention to oppose Clause 44 standing part of the Bill. That would remove new provisions from the Bill that have been carefully designed to provide a more direct route to resolution for data subjects’ complaints. I should stress that these measures do not limit rights for data subjects to bring complaints forward, but instead provide a more direct route to resolution with the relevant data controller. The measures formalise current best practice, requiring the complainant to approach the relevant data controller, where appropriate, to attempt to resolve the issue prior to regulatory involvement.

The Bill creates a requirement for data controllers to facilitate the making of complaints and look into what may have gone wrong. This should, in most cases, result in a much quicker resolution of data protection-related complaints. The provisions will also have the impact of enabling the Information Commissioner to redeploy resources away from handling premature complaints where such complaints may be dealt with more effectively, in the first instance, by controllers and towards value-added regulatory activity, supporting businesses to use data lawfully and in innovative ways.

The noble Lord’s Amendment 153 seeks, in effect, to expand the scope of the Information Commissioner’s duty to investigate complaints under Section 165 of the Data Protection Act. However, that Section of the Act already provides robust redress routes, requiring the commissioner to take appropriate steps to respond to complaints and offer an outcome or conclude an investigation within a specified period.

The noble Lord raised the enforcement of the UK’s data protection framework. I can provide more context on the ICO’s approach, although noble Lords will be aware that it is enforced independently of government by the ICO; it would of course be inappropriate for me to comment on how the ICO exercises its enforcement powers. The ICO aims to be fair, proportionate and effective, focusing on areas with the highest risk and most harm, but this does not mean that it will enforce every case that crosses its books.

The Government have introduced a new requirement on the ICO—Clause 43—to publish an annual report on how it has exercised its enforcement powers, the number and nature of investigations, the enforcement powers used, how long investigations took and the outcome of the investigations that ended in that period. This will provide greater transparency and accountability in the ICO’s exercise of its enforcement powers. For these reasons, I am not able to accept these amendments.

I also thank the noble Baroness and the noble Lord for their Amendments 154 and 287 concerning Section 190 of the Data Protection Act. These amendments would require the Secretary of State to legislate to give effect to Article 80(2) of the UK GDPR to enable relevant non-profit organisations to make claims against data controllers for alleged data breaches on behalf of data subjects, without those data subjects having requested or agreeing to the claim being brought. Currently, such non-profit organisations can already pursue such actions on behalf of individuals who have granted them specific authorisation, as outlined in Article 80(1).

In 2021, following consultation, the Government concluded that there was insufficient evidence to justify implementing Article 80(2) to allow non-profit organisations to bring data protection claims without the authorisation of the people affected. The Government’s response to the consultation noted that the regulator can and does investigate complaints raised by civil society groups, even when they are not made on behalf of named individuals. The ICO’s investigations into the use of live facial recognition technology at King’s Cross station and in some supermarkets in southern England are examples of this.

I also thank the noble Baroness, Lady Kidron, for raising her concerns about the protection of children throughout the debate—indeed, throughout all the days in Committee. The existing regime already allows civil society groups to make complaints to the ICO about data-processing activities that affect children and vulnerable people. The ICO has a range of powers to investigate systemic data breaches under the current framework and is already capable of forcing data controllers to take decisive action to address non-compliance. We are strengthening its powers in this Bill. I note that only a few member states of the EU have allowed non-governmental organisations to launch actions without a mandate, in line with the possibility provided by the GDPR.

I turn now to Amendments 154A, 154B—

Before the noble Lord gets there and we move too far from Amendment 154, where does the Government’s thinking leave us regarding a group of class actions? Trade unions take up causes on behalf of their membership at large. I guess, in the issue of the Post Office and Mr Bates, not every sub-postmaster or sub-postmistress would have signed up to that class action, even though they may have ended up being beneficiaries of its effects. So where does it leave people with regard to data protection and the way that the data protection scheme operates where there might be a class action?

If the action is raised on behalf of named individuals, those named individuals have to have given consent for that. If the action is for a general class of people, those people would not have to give their explicit consent, because they are not named in the action. Article 80(2) of the GDPR said that going that further step was optional for all member states. I do not know which member states have taken it up, but a great many have not, just because of the complexities to which it gives rise.

My Lords, just so that the Minister might get a little note, I will ask a question. He has explained what is possible—what can be done—but not why the Government still resist putting Article 80(2) into effect. What is the reason for not adopting that article?

The reason was that an extensive consultation was undertaken in 2021 by the Government, and the Government concluded at that time that there was insufficient evidence to take what would necessarily be a complex step. That was largely on the grounds that class actions of this type can go forward either as long as they have the consent of any named individuals in the class action or on behalf of a group of individuals who are unnamed and not specifically raised by name within the investigation itself.

Perhaps the Minister could in due course say what evidence would help to persuade the Government to adopt the article.

I want to help the Minister. Perhaps he could give us some more detail on the nature of that consultation and the number of responses and what people said in it. It strikes me as rather important.

Fair enough. Maybe for the time being, it will satisfy the Committee if I share a copy of that consultation and what evidence was considered, if that would work.

I will turn now to Amendments 154A to 155 and Amendment 175, which propose sweeping modifications to the jurisdiction of the court and tribunal for proceedings under the Data Protection Act 2018. These amendments would have the effect of making the First-tier Tribunal and Upper Tribunal responsible for all data protection cases, transferring both ongoing and future cases out of the court system and to the relevant tribunals.

The Government of course want to ensure that proceedings for enforcement of data protection rules, including redress routes available to data subjects, are appropriate for the nature of the complaint. As the Committee will be well aware, at present there is a mixture of jurisdiction for tribunals and courts under data protection legislation, depending on the precise nature of the proceedings in question. Tribunals are indeed the appropriate venue for some data protection proceedings, and the legislation already recognises that—for example, for application by data subjects for an order requiring the ICO to progress their complaint. However, courts are generally the more appropriate venue for cases involving claims for compensation and successful parties can usually recover their costs. Courts also apply stricter rules of procedure and evidence than tribunals. That is because some cases are appropriate to fall under the jurisdiction of the tribunal, while others are more appropriate for court jurisdiction. For example, claims by individuals against organisations for breaches of legal requirements can result in awards of compensatory damages for the individuals and financial and reputational damage for the organisations. It is appropriate that such cases are handled by a court in accordance with its strict procedural and evidential rules, where the data subject may recover their costs if successful.

As such, the Government are confident that the current system is balanced and proportionate and provides clear and effective administrative and judicial redress routes for data subjects seeking to exercise their rights.

My Lords, is the Minister saying that there is absolutely no confusion between the jurisdiction of the tribunals and the courts? That is, no court has come to a different conclusion about jurisdiction—for example, as to whether procedural matters are for tribunals and merits are for courts or vice versa. Is he saying that everything is hunky-dory and clear and that we do not need to concern ourselves with this crossover of jurisdiction?

No, as I was about to say, we need to take these issues seriously. The noble Lord raised a number of specific cases. I was unfamiliar with them at the start of the debate—

I will go away and look at those; I look forward to learning more about them. There are obvious implications in what the noble Lord said as to the most effective ways of distributing cases between courts and other channels.

For these reasons, I hope that the noble Lord will withdraw his amendment.

I am intrigued by the balance between what goes to a tribunal and what goes to the courts. I took the spirit behind the stand-part notice in the name of the noble Lord, Lord Clement-Jones, as being about finding the right place for the right case and ensuring that the wheels of justice are much more accessible. I am not entirely persuaded by what the Minister has said. It would probably help the Committee if we had a better understanding of where the cases go, how they are distributed and on what basis.

I thank the noble Lord; that is an important point. The question is: how does the Sorting Hat operate to distribute cases between the various tribunals and the court system? We believe that the courts have an important role to play in this but it is about how, in the early stages of a complaint, the case is allocated to a tribunal or a court. I can see that more detail is needed there; I would be happy to write to noble Lords.

Before we come to the end of this debate, I just want to raise something. I am grateful to the Minister for offering to bring forward the 2021 consultation on Article 80(2)—that will be interesting—but I wonder whether, as we look at the consultation and seek to understand the objections, the Government would be willing to listen to our experiences over the past two or three years. I know I said this on our previous day in Committee but there is, I hope, some point in ironing out some of the problems of the data regime that we are experiencing in action. I could bring forward a number of colleagues on that issue and on why it is a blind spot for both the ICO and the specialist organisations that are trying to bring systemic issues to its attention. It is very resource-heavy. I want a bit of goose and gander here: if we are trying to sort out some of the resourcing and administrative nightmares in dealing with the data regime, from a user perspective, perhaps a bit of kindness could be shown to that problem as well as to the problem of business.

My Lords, I thank the Minister for his response. I have surprised myself: I have taken something positive away from the Bill.

The noble Baroness, Lady Jones, was quite right to be more positive about Clause 44 than I was. The Minister unpacked its relationship with Clause 45 well and satisfactorily. Obviously, we will read Hansard before we jump to too positive a conclusion.

On Article 80(2), I am grateful to the Minister for agreeing both to go back to the consultation and to look at the kinds of evidence that were brought forward, because this is a really important aspect for many civil society organisations. He underestimates the difficulties faced when bringing complaints of this nature. I would very much like this conversation to go forward because this issue has been quite a bone of contention; the noble Baroness, Lady Kidron, remembers that only too well. We may even have had ping-pong on the matter back in 2017. There is an appetite to keep on the case so, the more we can discuss this matter—between Committee and Report in particular—the better, because there is quite a head of steam behind it.

As far as the jurisdiction point is concerned, I think this may be the first time I have heard a Minister talk about the Sorting Hat. I was impressed: I have often compared this place to Hogwarts but the concept of using the Sorting Hat to decide whether a case goes to a tribunal or a court is a wonderful one. You would probably need artificial intelligence to do that kind of thing nowadays; that in itself is a bit of an issue because, after all, these may be elaborate amendments but, as the noble Lord, Lord Bassam, said, the case being made here is about the possibility of there being confusion and things not being clear in terms of where jurisdiction lies. It is really important that we determine whether the courts and tribunals themselves understand this and, perhaps more appropriately, whether they have differing views about it.

We need to get to grips with this; the more the Minister can dig into it, and into Delo, Killock and so on, the better. We are all in the foothills here but I am certainly not going to try to unpack those two judgments and the differences between Mrs Justice Farbey and Mr Justice Mostyn, which are well beyond my competency. I thank the Minister.

Clause 44 agreed.

Clause 45: Power of the Commissioner to refuse to act on certain complaints

Amendment 152

Moved by

152: Clause 45, page 79, line 30, leave out “with the day” and insert “when”

Member's explanatory statement

This amendment adjusts the language of new section 165A(3) of the Data Protection Act 2018 to ensure that Article 3 of Regulation No 1182/71 (rules of interpretation regarding periods of time etc) will apply to it.

Amendment 152 agreed.

Amendment 153 not moved.

Clause 45, as amended, agreed.

Clause 46 agreed.

Amendment 154 not moved.

Schedule 8 agreed.

Clause 47: Court procedure in connection with subject access requests

Amendments 154A to 154F not moved.

Clause 47 agreed.

Clause 48 agreed.

Amendment 155 not moved.

Clause 49: Protection of prohibitions, restrictions and data subject’s rights

Amendment 156

Moved by

156: Clause 49, page 83, line 21, leave out “and (3)” and insert “to (3A)”

Member's explanatory statement

This amendment is consequential on the amendments in my name inserting additional subsections into this clause.

My Lords, the UK has rightly moved away from the EU concept of supremacy, under which retained EU law would always take precedence over domestic law when they were in conflict. That is clearly unacceptable now that we have left the EU. However, we understand that the effective functioning of our data protection legislation is of critical importance and it is appropriate for us to specify the appropriate relationship between UK and EU-derived pieces of legislation following implementation of the Retained EU Law (Revocation and Reform) Act, or REUL. That is why I am introducing a number of specific government amendments to ensure that the hierarchy of legislation works in the data protection context. These are Amendments 156 to 164 and 297.

Noble Lords may be aware that Clause 49 originally sought to clarify the relationship between the UK’s data protection legislation, specifically the UK GDPR and EU-derived aspects of the Data Protection Act 2018, and future data processing provisions in other legislation, such as powers to share or duties to disclose personal data, as a result of some legal uncertainty created by the European Union (Withdrawal) Act 2018. To resolve this uncertainty, Clause 49 makes it clear that all new data processing provisions in legislation should be read consistently with the key requirements of the UK data protection legislation unless it is expressly indicated otherwise. Since its introduction, the interpretation of pre-EU exit legislation has been altered and there is a risk that this would produce the wrong effect in respect of the interpretation of existing data processing provisions that are silent about their relationship with the data protection legislation.

Amendment 159 will make it clear that the full removal of the principle of EU law supremacy and the creation of a reverse hierarchy in relation to assimilated direct legislation, as provided for in the REUL Act, do not change the relationship between the UK data protection legislation and existing legislation that is in force prior to commencement of Clause 49(2). Amendment 163 makes a technical amendment to the EU withdrawal Act, as amended, to support this amendment.

Amendment 162 is similar to the previous amendment but it concerns the relationship between provisions relating to certain obligations and rights under data protection legislation and on restrictions and prohibitions on the disclosure of information under other existing legislation. Existing Section 186 of the Data Protection Act 2018 governs this relationship. Amendment 162 makes it clear that the relationship between these two types of provision is not affected by the changes to the interpretation of legislation that I have already referred to made by the REUL Act. Additionally, it clarifies that, in relation to pre-commencement legislation, Section 186(1) may be disapplied expressly or impliedly.

Amendment 164 relates to the changes brought about by the REUL Act and sets out that the provisions detailed in earlier Amendments 159, 162 and 163 are to be treated as having come into force on 1 January 2024—in other words, at the same time as commencement of the relevant provisions of the REUL Act.

Amendment 297 provides a limited power to remove provisions that achieve the same effect as new Section 183A from legislation made or passed after this Bill receives Royal Assent, as their presence could cause confusion.

Finally, Amendments 156 and 157 are consequential. Amendments 158, 160 and 161 are minor drafting changes made for consistency, updating and consequential purposes.

Turning to the amendments introduced by the noble Lord, Lord Clement-Jones, I hope that he can see from the government amendments to Clause 49 that we have given a good deal of thought to the impact of the REUL Act 2023 on the UK’s data protection framework and have been prepared to take action on this where necessary. We have also considered whether some of the changes made by the REUL Act could cause confusion about how the UK GDPR and the Data Protection Act 2018 interrelate. Following careful analysis, we have concluded that they would largely continue to be read alongside each other in the intended way, with the rules of the REUL Act unlikely to interfere with this. Any new general rule such as that suggested by the noble Lord could create confusion and uncertainty.

Amendments 168 to 170, 174, 174A and 174B seek to reverse changes introduced by the REUL Act at the end of 2023, specifically the removal of EU general principles from the statute book. EU general principles and certain EU-derived rights had originally been retained by the European Union (Withdrawal) Act to ensure legal continuity at the end of the transition period, but this was constitutionally novel and inappropriate for the long term.

The Government’s position is that EU law concepts should not be used to interpret domestic legislation in perpetuity. The REUL Act provided a solution to this by repealing EU general principles from UK law and clarifying the approach to be taken domestically. The amendments tabled by the noble Lord, Lord Clement-Jones, would undo this important work by reintroducing to the statute book references to rights and principles which have not been clearly defined and are inappropriate now that we have left the EU.

The protection of personal data already forms part of the protection offered by the European Convention on Human Rights, under the Article 8 right to respect for private and family life, and is further protected by our data protection legislation. The UK GDPR and the Data Protection Act 2018 provide a comprehensive set of rules for organisations to follow and rights for people in relation to the use of their data. Seeking to apply an additional EU right to data protection in UK law would not significantly affect the way the data protection framework functions or enhance the protections it affords to individuals. Indeed, doing so may well add unnecessary uncertainty and complexity.

Amendments 171 to 173 pertain to exemptions to specified data subject rights and obligations on data controllers set out in Schedules 2 to 4 to the DPA 2018. The 36 exemptions apply only in specified circumstances and are subject to various safeguards. Before addressing the amendments the noble Lord has tabled, it is perhaps helpful to set out how these exemptions are used. Personal data must be processed according to the requirements set out in the UK GDPR and the DPA 2018. This includes the key principles of lawfulness, fairness and transparency, data minimisation and purpose limitation, among others. The decision to restrict data subjects’ rights, such as the right to be notified that their personal data is being processed, or limit obligations on the data controller, comes into effect only if and when the decision to apply an exemption is taken. In all cases, the use of the exemption must be both necessary and proportionate.

One of these exemptions, the immigration exemption, was recently amended in line with a court ruling that found it was incompatible with the requirements set out in Article 23. This exemption is used by the Home Office. The purpose of Amendments 171 to 173 is to extend the protections applied to the immigration exemption across the other exemptions subject to Article 23, apart from in Schedule 4, where the requirement to consider whether its application prejudices the relevant purposes is not considered relevant.

The other exemptions are each used in very different circumstances, by different data controllers—from government departments to SMEs—and work by applying different tests that function in a wholly different manner from the immigration exemption. This is important to bear in mind when considering these broad-brush amendments. A one-size-fits-all approach would not work across the exemption regime.

It is the Government’s position that any changes to these important exemptions should be made only after due consideration of the circumstances of that particular exemption. In many cases, these amendments seek to make changes that run counter to how the exemption functions. Making changes across the exemptions via this Bill, as the noble Lord’s amendments propose, has the potential to have significant negative impacts on the functioning of the exemptions regime. Any potential amendments to the other exemptions would require careful consideration. The Government note that there is a power to make changes to the exemptions in the DPA 2018, if deemed necessary.

For the reasons I have given, I look forward to hearing more from the noble Lord on his amendments, but I hope that he will not press them. I beg to move.

My Lords, I thank the Minister for that very careful exposition. I feel that we are heavily into wet towel, if not painkiller, territory here, because this is a tricky area. As the Minister might imagine, I will not respond to his exposition in detail, at this point; I need to run away and get some external advice on the impact of what he said. He is really suggesting that the Government prefer a pick ‘n’ mix approach to what he regards as a one size fits all. I can boil it down to that. He is saying that you cannot just apply the rules, in the sense that we are trying to reverse some of the impacts of the previous legislation. I will set out my stall; no doubt the Minister and I, the Box and others, will read Hansard and draw our own conclusions at the end, because this is a complicated area.

Until the end of 2023, the Data Protection Act 2018 had to be read compatibly with the UK GDPR. In a conflict between the two instruments, the provisions of the UK GDPR would prevail. The reversing of the relationship between the 2018 Act and the UK GDPR, through the operation of the Retained EU Law (Revocation and Reform) Act—REUL, as the Minister described it—has had the effect of lowering data protection rights in the UK. The case of the Open Rights Group and the3million v the Secretary of State for the Home Office and the Secretary of State for Digital, Culture, Media and Sport was decided after the UK had left the EU, but before the end of 2023. The Court of Appeal held that exemptions from data subject rights in an immigration context, as set out in the Data Protection Act, were overly broad, contained insufficient safeguards and were incompatible with the UK GDPR. The court disapplied the exemptions and ordered the Home Office to redraft them to include the required safeguards. We debated the regulations the other day, and many noble Lords welcomed them on the basis that they had been revised for the second time.

This sort of challenge is now not possible, because the relationship between the DPA and the UK GDPR has been turned on its head. If the case were brought now, the overly broad exemptions in the DPA would take precedence over the requirement for safeguards set out in the UK GDPR. These points were raised by me in the debate of 12 December, when the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 were under consideration. In that debate, the noble Baroness, Lady Swinburne, stated that

“we acknowledge the importance of making sure that data processing provisions in wider legislation continue to be read consistently with the data protection principles in the UK GDPR … Replication of the effect of UK GDPR supremacy is a significant decision, and we consider that the use of primary legislation is the more appropriate way to achieve these effects, such as under Clause 49 where the Government consider it appropriate”.—[Official Report, 12/12/23; col. GC 203.]

This debate on Clause 49 therefore offers an opportunity to reinstate the previous relationship between the UK GDPR and the Data Protection Act. The amendment restores the hierarchy, so that it guarantees the same rights to individuals as existed before the end of 2023, and avoids unforeseen consequences by resetting the relationship between the UK GDPR and the DPA 2018 to what the parliamentary draftsmen intended when the Act was written. The provisions in Clause 49, as currently drafted, address the relationship between domestic law and data protection legislation as a whole, but the relationship between the UK GDPR and the DPA is left in its “reversed” state. This is confirmed in the Explanatory Notes to the Bill at paragraph 503.

The purpose of these amendments is to restore data protection rights in the UK to what they were before the end of 2023, prior to the coming into force of REUL. The amendments would restore the fundamental right to the protection of personal data in UK law; ensure that the UK GDPR and the DPA continue to be interpreted in accordance with the fundamental right to the protection of personal data; ensure that there is certainty that assimilated case law that references the fundamental right to the protection of personal data still applies; and apply the protections required in Article 23 of the UK GDPR to all the relevant exemptions in Schedule 2 to the Data Protection Act. This is crucial in avoiding diminishing trust in our data protection frameworks. If people do not trust that their data is protected, they will refuse to share it. Without this data, new technologies cannot be developed, because these technologies rely on personal data. By creating uncertainty and diminishing standards, the Government are undermining the very growth in new technologies that they want.

It is also worth pointing out that these amendments replicate what the Government have already taken powers to do through the vehicle of REUL. These are the powers on the statute book to recreate the effect of the principle of the supremacy of EU law and the general principles of EU law, and to ensure the continuing applicability of assimilated CJEU case law. The Government have rolled over all the EU’s adequacy decisions on a transitional basis and conferred data adequacy on the EU. They were intending to make independent adequacy assessments of all the jurisdictions listed in paragraph 4(5) of Schedule 21 to the DPA, but they have failed to do so. Instead, they are treating all these adequacy decisions as if they had been subject to proper scrutiny and putting them into primary legislation, which means that they cannot be quashed if they breach data subject rights. This is not the case in the EU, where the CJEU has twice quashed unlawful adequacy decisions. This is another example of the weaker rights of UK citizens in the context of the protection of their personal data as compared with their counterparts in the EU.

I am not going to go through the individual amendments. The Minister has done that effectively with regard to the impact of each amendment. But reinstating EU fundamental rights in this way has important advantages, including ensuring that the standard of data protection rights in the UK is the same as it was when the EU granted adequacy to the UK, thus confirming the essential equivalence of UK-EU standards. That is important in ensuring that a discrepancy in standards does not give rise to the loss of adequacy and the imposition of new barriers to UK-EU trade. I am sure that we will carry on with that discussion in a future group. Furthermore, it is important in ensuring that the case law that discusses data protection as a fundamental right is still applicable, thereby increasing legal certainty.

I do not expect the Minister to come back on the detail of this at this stage, but there is a really important discussion here about the importance of the fundamental guarantees to our data protection rights, which we really need to investigate in some detail.

My Lords, I have looked at the government amendments in this group and have listened very carefully to what the Minister has said—that it is largely about interpretation. There are no amendments that I wish to comment on, save to say that they seem to be about consistency of language and bringing in part EU positions into UK law. They seem also to be about consistency of meaning, and for the most part the intention seems to be to ensure that nothing in EU retained law undoes the pre-existing legal framework.

However, I would appreciate the Minister giving us a bit more detail on the operation of Amendment 164. Amendment 297 seems to deal with a duplication issue, so perhaps he can confirm for the Committee that this is the case. We have had swathes of government amendments of a minor and technical nature, largely about chasing out gremlins from the drafting process. Can he confirm that this is the case and assure the Committee that we will not be left with any nasty surprises in the drafting that need correction at a later date?

The amendments tabled in the name of the noble Lord, Lord Clement-Jones, are of course of a different order altogether. The first two—Amendments 165 and 166—would restore the relationship between the UK GDPR and the 2018 Act and the relevant provisions of the Retained EU Law (Revocation and Reform) Act 2023. Amendment 168 would ensure that assimilated case law referring to the European Charter of Fundamental Rights would still be relevant in interpreting the UK GDPR. It would give greater certainty in how the UK’s data protection framework is interpreted. Amendment 169 would ensure that the interpretation is carried over from the UK GDPR and 2018 legislation in accordance with the general principle of the protection of personal data.

The noble Lord’s Amendments 170 to 174B would bring back into law protections that existed previously when UK law was more closely aligned with EU law and regulation. There is also an extension of the EU data protection of personal data to the assimilated standard that existed by virtue of Section 4 of the European Union (Withdrawal) Act 2018. I can well understand the noble Lord’s desire to take the UK back to a position where we are broadly in the same place in terms of protections as our former EU partners. First, having—broadly speaking—protections that are common across multiple jurisdictions makes it easier and simpler for companies operating in those markets. Secondly, from the perspective of data subjects, it is much easier to comprehend common standards of data protection and to seek redress when required. The Government, for their part, will no doubt argue that there is some sort of big Brexit benefit in this, although I think that advisers and experts are divided on the degree of that benefit, and indeed who benefits.

Later, we will get to discuss data adequacy standards. Concern exists in some quarters as to whether we have this right and what this legislative opportunity might be missing to ensure that the UK meets those international standards that the EU requires. That is a debate for later, but we are broadly sympathetic to the desire of the noble Lord, Lord Clement-Jones, to find the highest level of protection for UK citizens. That is the primary motivation for many of the amendments and debates that we have had today. We do not want to weaken what were previously carefully crafted and aligned protections. I do not entirely buy the argument that the Minister made earlier about this group of amendments causing legal uncertainty. I believe it is the reverse of that: the noble Lord, Lord Clement-Jones, is trying to provide greater certainty and a degree of jurisdictional uniformity.

I hope that I have understood what the noble Lord is trying to achieve here. For those reasons, we will listen to the Minister’s concluding comments—and read Hansard—very carefully.

I thank the noble Lords, Lord Clement-Jones and Lord Bassam, for their comments. As the noble Lord, Lord Clement-Jones, points out, it is a pretty complex and demanding area, but that in no way diminishes the importance of getting it right. I hope that in my remarks I can continue that work, but of course I am happy to discuss this: it is a very technical area and, as all speakers have pointed out, it is crucial for our purposes that it be executed correctly.

While the UK remains committed to strong protections for personal data through the UK GDPR and Data Protection Act, it is important that it is able to diverge from the EU legislation where this is appropriate for the UK. We have carefully assessed the effects of EU withdrawal legislation and the REUL Act and are making adjustments to ensure that the right effect is achieved. The government amendments are designed to ensure legal certainty and protect the coherence of the data protection framework following commencement of the REUL Act—for example, by maintaining the pre-REUL Act relationship in certain ways between key elements of the UK data protection legislation and other existing legislation.

The purpose of the REUL Act is to ensure that the UK has control over its laws. Resurrecting the principle of EU law supremacy in its entirety or continuing to apply case law principles is not consistent with the UK’s departure from the EU and taking back control over our own laws. These amendments make it clear that changes made to the application of the principle of EU law supremacy and new rules relating to the interpretation of direct assimilated legislation under the REUL Act do not have any impact on existing provisions that involve the processing of personal data.

The noble Lord, Lord Bassam, asked for more detail about Amendment 164. It relates to changes brought about by the REUL Act and sets out that the provisions detailed in Amendments 159, 162 and 163 are to be treated as having come into force on 1 January 2024—in other words, at the same time as commencement of the relevant provisions of the REUL Act. The retrospective effect of this provision addresses the gap between the commencement of the REUL Act 2023 and the Data Protection and Digital Information Bill.

On the immigration exemption case, I note that it was confined to the immigration exemption and did not rule on the other exemptions. The Government will continue to keep the exemptions under review and, should it be required, the Government have the power to amend the other exemptions using an existing power in the DPA 2018. Before doing so, of course the Government would want to ensure that due consideration is given to how the particular exemptions are used. Meanwhile, I thank noble Lords for what has been a fascinating, if demanding, debate.

Amendment 156 agreed.

Amendments 157 to 164

Moved by

157: Clause 49, page 83, line 24, at end insert “: relevant enactments”

Member’s explanatory statement

This amendment is consequential on the amendment in my name inserting section 183B of the Data Protection Act 2018.

158: Clause 49, page 84, line 7, leave out “49” and insert “49(2)”

Member’s explanatory statement

This amendment changes a reference to the day on which clause 49 comes into force to a reference to the day on which subsection (2) of that clause comes into force.

159: Clause 49, page 84, line 19, at end insert—

“(2A) Before section 184 (and the italic heading before it) insert—“183B Protection of prohibitions and restrictions etc on processing: other enactments(1) This section is about the relationship between—(a) a pre-commencement enactment which imposes a duty, or confers a power, to process personal data, and(b) a provision of the main data protection legislation containing a requirement relating to the processing of personal data.(2) The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act). (3) Where the provision described in subsection (1)(b) is a provision of, or made under, the UK GDPR, section 5(A2) of the European Union (Withdrawal) Act 2018 (assimilated direct legislation subject to domestic enactments) does not apply to the relationship.(4) Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision with similar effect to section 183A(1) (or applying that provision) is made in connection with one such relationship but not another.(5) In this section—(a) “the main data protection legislation” and “requirement” have the same meaning as in section 183A, and(b) “pre-commencement enactment” means an enactment so far as passed or made before the day on which section 49(2) of the Data Protection and Digital Information Act 2024 comes into force.(6) Section 183A(5) applies for the purposes of subsection (1)(a) of this section as it applies for the purposes of section 183A(1).””Member’s explanatory statement

This amendment provides that certain changes made to the European Union (Withdrawal) Act 2018 by the Retained EU Law (Revocation and Reform) Act 2023 do not alter the relationship between requirements in the data protection legislation and duties or powers to process personal data under other existing legislation.

160: Clause 49, page 84, line 27, leave out “falling within” and insert “listed in”

Member’s explanatory statement

This amendment makes a minor change to new subsection (2A) of section 186 of the Data Protection Act 2018 for consistency with the wording of the existing subsection (1) of that section.

161: Clause 49, page 84, line 30, leave out “falling within subsection (2).” and insert “listed in subsection (2),

and see also section 186A.”Member’s explanatory statement

This amendment makes a minor change to new subsection (2A) of section 186 of the Data Protection Act 2018 for consistency with the wording of the existing subsection (1) of that section and inserts a cross-reference to new section 186A of that Act (inserted by an amendment of Clause 49 in my name).

162: Clause 49, page 84, line 34, at end insert—

“(3A) After section 186 insert—“186A Protection of data subject’s rights: further provision(1) This section is about the relationship between—(a) a pre-commencement enactment which prohibits or restricts the disclosure of information or authorises the withholding of information, and(b) a provision of the UK GDPR or this Act listed in section 186(2).(2) The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act).(3) Subsection (1) of section 186 does not apply to the relationship so far as there is a contrary intention, whether express or implied (taking account of, among other things, subsection (2) of this section).(4) Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision stating that section 186(1) applies (or with similar effect) is made in connection with one such relationship but not another.(5) In this section, “pre-commencement enactment” means an enactment passed or made before the day on which section 49(3) of the Data Protection and Digital Information Act 2024 comes into force.”” Member’s explanatory statement

This amendment provides that certain changes made to the European Union (Withdrawal) Act 2018 by the Retained EU Law (Revocation and Reform) Act 2023 do not alter the relationship between certain obligations and rights under the data protection legislation and restrictions on the disclosure of information under other existing legislation.

163: Clause 49, page 84, line 40, at end insert “, and

(c) at the end insert “(and see also section 183B(3) of that Act)”.”Member’s explanatory statement

This amendment inserts a cross-reference to section 183B(3) of the Data Protection Act 2018 (inserted by an amendment of Clause 49 in my name) into section 5(A3) of the European Union (Withdrawal) Act 2018 (exceptions from provision about the relationship between assimilated direct legislation and domestic enactments). Section 183B(3) creates such an exception.

164: Clause 49, page 84, line 40, at end insert—

“(5) Subsections (2A), (3A) and (4)(c) are to be treated as having come into force on 1 January 2024.”Member’s explanatory statement

This amendment provides for provision about the relationship between the data protection legislation and existing legislation— in particular, provision about the effect of changes made by the Retained EU Law (Revocation and Reform) Act 2023—to be treated as having come into force when those changes came into force.

Amendments 157 to 164 agreed.

Amendments 165 and 166 not moved.

Clause 49, as amended, agreed.

Clauses 50 and 51 agreed.

Amendments 167 to 175 not moved.

Schedule 9: Data protection: minor amendments

Amendment 176

Moved by

176: Schedule 9, page 231, line 35, at end insert—

“2A After Article 4 insert—“Article 4APeriods of time1. References in this Regulation to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation, except in—(a) Article 91A(8) and (9);(b) paragraphs 14, 15 and 16 of Annex 1.2. In this Article, “the Periods of Time Regulation” means Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.””Member’s explanatory statement

This amendment provides for the rules of interpretation in Article 3 of Regulation No 1182/71 (rules of interpretation regarding periods of time etc) to apply to the UK GDPR, subject to some listed exceptions.

Amendment 176 agreed.

Schedule 9, as amended, agreed.

Clause 52 agreed.

Clause 53: DVS trust framework

Amendment 177

Moved by

177: Clause 53, page 88, line 16, at end insert—

“(13) The DVS trust framework and any revision to it must be made by regulations subject to the affirmative resolution procedure.”Member’s explanatory statement

This amendment would require the document setting rules for providers of digital verification services (or any revisions to it) to be laid before, and approved by, both Houses of Parliament. It is intended to implement a recommendation of the Delegated Powers and Regulatory Reform Committee.

My Lords, we now move on to Part 2 of the Bill, which concerns the provision of digital verification services. In moving Amendment 177, I will also speak to the amendments through to Amendment 195; apart from one, all of them are in my name and have the support of the noble Lord, Lord Clement-Jones, for which I am grateful.

The relevant clauses of the Bill establish a regulatory framework for the provision of online digital verification services in the UK though the creation of a trust framework, a register of providers, an information-sharing gateway and a trust mark. This new system will encourage the wider adoption of “reusable” digital identities, which can be used again and again for different interactions across organisations. Clause 52 helpfully clarifies that these services should be provided at the request of an individual and so are separate from any attempt to introduce universal or compulsory digital identities. As such, we support the idea in principle and accept that, in this increasingly digital-focused society, it should be easier for people to prove their identity online, whether they are, for example, opening a bank account, moving house, applying for a job and so on.

It is vital, however, that this new system has the absolute trust of those using it and proper controls and regulation for the verification providers. So far, we are a long way from achieving these objectives. A number of amendments to these clauses were added on Report in the Commons but, even so, many of the details necessary to provide a robust system are not yet available. These concerns are reflected in the recommendations of the Delegated Powers and Regulatory Reform Committee’s report; our amendments seek to enforce those recommendations.

The committee identified a number of Henry VIII powers given to the Secretary of State in this part of the Bill. Clause 53 requires the Secretary of State to publish a document setting out the rules for the provision of these new digital verification services; this is to be known as the main code and will underpin the new regime. Clause 63 requires the Secretary of State to maintain a register of verification providers who have been certified as being in compliance with the main code; these certified verification providers can then access information from public bodies, so this is a powerful new approval system.

However, as the provisions stand, there is no authority for the main code to be subject to parliamentary scrutiny. The Government have provided two main reasons for this: first, the need to make changes rapidly; and, secondly, the need to ensure that governance of these services can be transferred to a private sector body. The Delegated Powers Committee rejected this reasoning and recommended that the powers in Clause 53 to produce the main code should be subject to parliamentary scrutiny using the affirmative procedure. We support this recommendation, which is reflected in our amendments.

This particularly matters as there is so little information available as to what will be in the main code. First, there are no principles in the Bill to ensure both that services are designed and implemented around user needs and that they reflect the important privacy and data protection guarantees we have been debating elsewhere in the Bill. These types of principles are essential for building trust in the scheme, particularly as it is proposed that private providers will be at the heart of the verification service.

Secondly, there appear to be no assurances that people can opt out of digital verification and use offline methods of identification instead. This is particularly important for vulnerable and marginalised groups who might be excluded from the technology. We need to ensure that this new system does not become compulsory by default.

Thirdly, it is still not clear how the new office for digital identities and attributes, which will oversee the scheme from an office in DSIT, will be regulated to ensure proper independence and accountability.

Fourthly, it is not clear what the international implications of the scheme will be, given that many of the companies seeking compliance with the digital verification schemes will be global brands with headquarters elsewhere. Just to add a further concern, could the digital verification schemes themselves be international companies? Is there then an issue of UK domestic security being put at stake, given that they will have so much access to, for example, government data? These are some of the reasons why the details of this scheme should not be left to the Secretary of State but instead given full parliamentary scrutiny via affirmative resolution.

Finally, our Amendment 195 picks up another recommendation of the Delegated Powers and Regulatory Reform Committee, which relates to setting fees for people seeking entry or modifying details on the register of providers of verification services. The powers are given to the Secretary of State to set these fees with no reference to Parliament. The Delegated Powers Committee recommends that there should be parliamentary scrutiny using the negative procedure. We agree with this point and this is reflected in our amendment. I therefore beg to move Amendment 177.

My Lords, I speak in favour of Amendment 195ZA in my name and that of the noble Lords, Lord Vaux of Harrowden and Lord Clement-Jones, and Amendments 289 and 300 on digital identity theft. I am also very sympathetic to many of the points made by the noble Baroness, Lady Jones of Whitchurch, particularly about the most disadvantaged people in our society.

As many noble Lords know, I am a member of the Communications and Digital Committee of this House. A few months ago, we did a report on digital exclusion. We had to be quite clear about one of the issues that we found: even though some people may partly use digital—for example, they may have an email address—it does not make them digitally proficient or literate. We have to be very clear that, as more and more of our public and private services go online, it is obvious that companies and others will want to know which people are claiming to use these services. At the same time, a number of people will not be digitally literate or will not have this digital ID available. It is important that we offer them enough alternatives. It should be clear, and not beyond the wit of man or clever lawyers, that there are non-digital alternatives available for consumers and particularly, as was said by the noble Baroness, Lady Jones of Whitchurch, people from disadvantaged communities.

As we found in the report on our inquiry into digital exclusion, this does not concern only people from deprived areas. Sometimes people get by in life without much digital literacy. There are those who may be scared of it or who do not trust it, and they can come from all sorts of wealth brackets. This drives home the point that it is important to have an alternative. I cannot really say much more than the amendment itself; it does what it says on the tin. The amendment is quite clear and I am sure that the noble Lord, Lord Vaux, will speak to it as well.

I will briefly speak in favour of Amendments 289 and 300. Digital identity theft is clearly an issue and has been for a long time. Even before the digital days, identity theft was an issue and it is so much easier to hack someone’s ID these days. I have had bank accounts opened in my name. I received a letter claiming this but, fortunately, the bank was able to deal with it when I walked in and said, “This wasn’t me”. It is quite clear that this will happen more and more. Sometimes, it will simply be stealing data that has been leaked or because a system is not particularly secure; at other times, it will be because you have been careless. No matter why the crime is committed, it must be an offence in the terms suggested by the amendments of the noble Lord, Lord Clement-Jones. It is clear that we have to send a strong signal that digital identity theft is a crime and that people should be deterred from engaging in it.

My Lords, I have added my name to Amendment 195ZA—I will get to understand where these numbers come from, at some point—in the name of the noble Lord, Lord Kamall, who introduced it so eloquently. I will try to be brief in my support.

For many people, probably most, the use of online digital verification will be a real benefit. The Bill puts in place a framework to strengthen digital verification so, on the whole, I am supportive of what the Government are trying to do, although I think that the Minister should seriously consider the various amendments that the noble Baroness, Lady Jones of Whitchurch, has proposed to strengthen parliamentary scrutiny in this area.

However, not everyone will wish to use digital verification in all cases, perhaps because they are not sufficiently confident with technology or perhaps they simply do not trust it. We have already heard the debates around the advances of AI and computer-based decision-making. Digital identity verification could be seen to be another extension of this. There is a concern that Part 2 of the Bill appears to push people ever further towards decisions being taken by a computer.

I suspect that many of us will have done battle with some of the existing identity verification systems. In my own case, I can think of one bank where I gave up in deep frustration as it insisted on telling me that I was not the same person as my driving licence showed. I have also come up against systems used by estate agents when trying to provide a guarantee for my student son that was so intrusive that I, again, refused to use it.

Therefore, improving verification services is to be encouraged but there must be some element of choice, and if someone does not have the know-how, confidence, or trust in the systems, they should be able to do so through some non-digital alternative. They should not be barred from using relevant important services such as, in my examples, banking and renting a property because they cannot or would prefer not to use a digital verification service.

At the very least, even if the Minister is not minded to accept that amendment, I hope that he can make clear that the Government have no intention to make digital ID verification mandatory, as some have suggested that this Part 2 may be driving towards.

My Lords, this is quite a disparate group of amendments. I support Amendment 195ZA, which I have signed. I thought that the noble Baroness, Lady Jones, and the noble Lords, Lord Kamall and Lord Vaux, have made clear the importance of having a provision such as this on the statute book. It is important that an individual can choose whether to use digital or non-digital means of verifying their identity. It is important for the liberty and equality of individuals as well as to cultivate trust in what are essentially growing digital identity systems. The use of the word “empower” in these circumstances is important. We need to empower people rather than push them into digital systems that they may not be able to access. Therefore, a move towards digitalisation is not a justification for compelling individuals to use systems that could compromise their privacy or rights more broadly. I very much support that amendment on that basis.

I also very much support the amendments of the noble Baroness, Lady Jones, which I have signed. The Delegated Powers and Regulatory Reform Committee could not have made its recommendations clearer. The Government are serial offenders in terms of skeleton Bills. We have known that from remarks made by the noble Lord, Lord Hodgson, on the Government Benches over a long period. I am going to be extremely interested in what the Government have to say. Quite often, to give them some credit, they listen to what the DPRRC has to say and I hope that on this occasion the Minister is going to give us some good news.

This is an extremely important new system being set up by the Government. We have been waiting for the enabling legislation for quite some time. It is pretty disappointing, after all the consultations that have taken place, just how skeletal it is. No underlying principles have been set out. There is a perfectly good set of principles set out by the independent Privacy and Consumer Advisory Group that advises the Government on how to provide a simple, trusted and secure means of accessing public services. But what assurance do we have that we are going to see those principles embedded in this new system?

Throughout, it is vital that the Secretary of State is obliged to uphold the kinds of concerns being raised in the development of this DVS trust framework to ensure that those services protect the people who use them. We need that kind of parliamentary debate and it has been made quite clear that we need nothing less than that. I therefore very much support what the noble Baroness, Lady Jones, had to say on that subject.

I turn now to Amendment 184A and the Clause 80 stand part notice. Amendment 184A is a probing amendment because, as we know, the Government are enthusiastic about their new One Login government identity scheme but many of us are not clear on how the two identity schemes will interact—that is, how the DVS trust framework will interact with One Login. I would like to hear what the Government have to say about that because, of course, there is an issue of public trust in terms of what the Government are doing around joining up digital identity right across every government department. This includes whether the DVS scheme will be part of that—that is, whether the Government will access information in that way or the One Login scheme will be totally stand-alone.

I come on to Amendments 289 and 300 on digital identity theft. It strikes me as rather extraordinary that we do not have an identity theft offence. This is the Metropolitan Police guidance for the public:

“Your identity is one of your most valuable assets. If your identity is stolen, you can lose money and may find it difficult to get loans, credit cards or a mortgage. Your name, address and date of birth provide enough information to create another ‘you’”.

It could not be clearer. It goes on:

“An identity thief can use a number of methods to find out your personal information and will then use it to open bank accounts, take out credit cards and apply for state benefits in your name”.

It then talks about the signs that you should look out for, saying:

“There are a number of signs to look out for that may mean you are or may become a victim of identity theft … If you think you are a victim of identity theft or fraud, act quickly to ensure you are not liable for any financial losses … Contact CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration”.

However, there is no criminal offence.

Interestingly enough, I mentioned this to the noble Baroness, Lady Morgan; I am sad to say that I do not think she could be present today. Back in October 2022, her committee—the Fraud Act 2006 and Digital Fraud Committee—produced a really good report, Fighting Fraud: Breaking the Chain, which said:

“Identity theft is often a predicate action to the criminal offence of fraud, as well as other offences including organised crime and terrorism, but it is not a criminal offence. Cifas data shows that cases of identity fraud increased by 22% in 2021, accounting for 63% of all cases recorded to Cifas’ National Fraud Database”.

It goes on to talk about identity theft to some good effect but states:

“In February 2022, the Government confirmed that there were no plans to introduce a new criminal offence of identity theft as ‘existing legislation is in place to protect people’s personal data and prosecute those that commit crimes enabled by identity theft’”.

I do not think the committee agreed with that at all. It said:

“The Government should consult on the introduction of legislation to create a specific criminal offence of identity theft. Alternatively, the Sentencing Council should consider including identity theft as a serious aggravating factor in cases of fraud”.

The Government are certainly at odds with the Select Committee chaired by the noble Baroness, Lady Morgan. I am indebted to a creative performer called Bennett Arron, who raised this with me some years ago. He related with some pain how he took months to get back his digital identity. He said: “I eventually, on my own, tracked down the thief and gave his name and address to the police. Nothing was done. One of the reasons the police did nothing was because they didn’t know how to charge him with what he had done to me”. That is not a good state of affairs. Then we heard from Paul Davis, the head of fraud prevention at TSB. The headline of the piece in the Sunday Times was: “I’m head of fraud at a bank and my identity was still stolen”. He is top dog in this area, and he has been the subject of identity theft.

This seems an extraordinary situation, whereby the Government are sitting on their hands. There is a clear issue with identity theft, yet they are refusing—they have gone into print, in response to the committee chaired by the noble Baroness, Lady Morgan—and saying, “No, no, we don’t need anything like that; everything is absolutely fine”. I hope that the Minister can give a better answer this time around.

I thank the noble Lord, Lord Clement-Jones, the noble Baroness, Lady Jones, and my noble friend Lord Kamall for their amendments. To address the elephant in the room first, I can reassure noble Lords that the use of digital identity will not be mandatory, and privacy will remain one of the guiding principles of the Government’s approach to digital identity. There are no plans to introduce a centralised, compulsory digital ID system for public services, and the Government’s position on physical ID cards remains unchanged. The Government are committed to realising the benefits of digital identity technologies without creating ID cards.

I shall speak now to Amendment 177, which would require the rules of the DVS trust framework to be set out in regulations subject to the affirmative resolution procedure. I recognise that this amendment, and others in this group, reflect recommendations from the DPRRC. Obviously, we take that committee very seriously, and we will respond to that report in due course, but ahead of Report.

Part 2 of the Bill will underpin the DVS trust framework, a document of auditable rules, which include technical standards. The trust framework refers to data protection legislation and ICO guidance. It has undergone four years of development, consultation and testing within the digital identity market. Organisations can choose to have their services certified against the trust framework to prove that they provide secure and trustworthy digital verification services. Certification is provided by independent conformity assessment bodies that have been accredited by the UK Accreditation Service. Annual reviews of the trust framework are subject to consultation with the ICO and other appropriate persons.

Requiring the trust framework to be set out in regulations would make it hard to introduce reactive changes. For example, if a new cybersecurity threat emerged which required the rapid deployment of a fix across the industry, the trust framework would need to be updated very quickly. Developments in this fast-growing industry require an agile approach to standards and rule-making. We cannot risk the document becoming outdated and losing credibility with industry. For these reasons, the Government feel that it is more appropriate for the Secretary of State to have the power to set the rules of the trust framework with appropriate consultation, rather than for the power to be exercised by regulations.

I turn to Amendments 178 to 195, which would require the fees that may be charged under this part of the Bill to be set out in regulations subject to the negative resolution procedure. The Government have committed to growing a market of secure and inclusive digital identities as an alternative to physical proofs of identity, for those that choose to use them. Fees will be introduced only once we are confident that doing so will not restrict the growth of this market, but the fee structure, when introduced, is likely to be complex and will need to flex to support growth in an evolving market.

There are built-in safeguards to this fee-charging power. First, there is a strong incentive for the Secretary of State to set fees that are competitive, fair and reasonable, because failing to do so would prevent the Government realising their commitment to grow this market. Secondly, these fee-raising powers have a well-defined purpose and limited scope. Thirdly, the Secretary of State will explain in advance what fees she intends to charge and when she intends to charge them, which will ensure the appropriate level of transparency.

The noble Baroness, Lady Jones, asked about the arrangements for the office for digital identities and attributes. It will not initially be independent, as it will be located within the Department for Science, Innovation and Technology. As we announced in the government response to our 2021 consultation, we intend for this to be an interim arrangement until a suitable long-term home for the governing body can be identified. Delegating the role of Ofdia—as I suppose we will call it—to a third party in the future, is subject to parliamentary scrutiny, as provided for by the clauses in the Bill. Initially placing Ofdia inside government will ensure that its oversight role could mature in the most effective way and that it supports the digital identity market in meeting the needs of individual users, relying parties and industry.

Digital verification services are independently certified against the trust framework rules by conformity assessment bodies. Conformity assessment bodies are themselves independently accredited by the UK Accreditation Service to ensure that they have the competence and impartiality to perform certification. The trust framework certification scheme will be accredited by the UK Accreditation Service to give confidence that the scheme can be efficiently and competently used to certify products, processes and services. All schemes will need to meet internationally agreed standards set out by the UK Accreditation Service. Ofdia, as the owner of the main code, will work with UKAS to ensure that schemes are robust, capable of certification and operated in line with the trust framework.

Amendment 184A proposes to exclude certified public bodies from registering to provide digital verification services. The term “public bodies” could include a wide range of public sector entities, including institutions such as universities, that receive any public funding. The Government take the view that this exclusion would be unnecessarily restrictive in the UK’s nascent digital identity market.

Amendment 195ZA seeks to mandate organisations to implement a non-digital form of verification in every instance where a digital method is required. The Bill enables the use of secure and inclusive digital identities across the economy. It does not force businesses or individuals to use them, nor does it insist that businesses which currently accept non-digital methods of verification must transition to digital methods. As Clause 52 makes clear, digital verification services are services that are provided at the request of the individual. The purpose of the Bill is to ensure that, when people want to use a digital verification service, they know which of the available products and services they can trust.

Some organisations operate only in the digital sphere, such as online-only banks and energy companies. To oblige such organisations to offer manual document checking would place obligations on them that would go beyond the Government’s commitment to do only what is necessary to enable the digital identity market to grow. In so far as this amendment would apply to public authorities, the Equality Act requires those organisations to consider how their services will affect people with protected characteristics, including those who, for various reasons, might not be able or might choose not to use a digital identity product.

Is the Minister saying that, as a result of the Equality Act, there is an absolute right to that analogue—if you like—form of identification if, for instance, someone does not have access to digital services?

I understand that some services are purely digital, but some of those may well not have digital ID. We do not know what future services there might be, so they might want to show an analogue ID. Is my noble friend saying that that will not be possible because it will impose too much of a burden on those innovative digital companies? Could he clarify what he said?

On this point, the argument that the Government are making is that, where consumers want to use a digital verification service, all the Bill does is to provide a mechanism for those DVSs to be certified and assured to be safe. It does not seek to require anything beyond that, other than creating a list of safe DVSs.

The Equality Act applies to the public sector space, where it needs to be followed to ensure that there is an absolute right to inclusive access to digital technologies.

My Lords, in essence, the Minister is admitting that there is a gap when somebody who does not have access to digital services needs an identity to deal with the private sector. Is that right?

In the example I gave, I was not willing to use a digital system to provide a guarantee for my son’s accommodation in the private sector. I understand that that would not be protected and that, therefore, someone might not be able to rent a flat, for example, because they cannot provide physical ID.

The Bill does not change the requirements in this sense. If any organisation chooses to provide its services on a digital basis only, that is up to that organisation, and it is up to consumers whether they choose to use it. It makes no changes to the requirements in that space.

I will now speak to the amendment that seeks to remove Clause 80. Clause 80 enables the Secretary of State to ask accredited conformity assessment bodies and registered DVS providers to provide information which is reasonably required to carry out her functions under Part 2 of the Bill. The Bill sets out a clear process that the Secretary of State must follow when requesting this information, as well as explicit safeguards for her use of the power. These safeguards will ensure that DVS providers and conformity assessment bodies have to provide only information necessary for the functioning of this part of the Bill.

My Lords, the clause stand part amendment was clearly probing. Does the Minister have anything to say about the relationship with OneLogin? Is he saying that it is only information about systems, not individuals, which does not feed into the OneLogin identity system that the Government are setting up?

It is very important that the OneLogin system is entirely separate and not considered a DVS system. We considered whether it should be, but the view was that that comes close to mandating a digital identity system, which we absolutely want to avoid. Hence the two are treated entirely differently.

That is a good reassurance, but if the Minister wants to unpack that further by correspondence, I would be very happy to have that.

I am very happy to do so.

I turn finally to Amendments 289 and 300, which aim to introduce a criminal offence of digital identity theft. The Government are committed to tackling fraud and are confident that criminal offences already exist to cover the behaviour targeted by these amendments. Under the Fraud Act 2006, it is a criminal offence to make a gain from the use of another person’s identity or to cause or risk a loss by such use. Where accounts or databases are hacked into, the Computer Misuse Act 1990 criminalises the unauthorised access to a computer programme or data held on a computer.

Furthermore, the trust framework contains rules, standards and good practice requirements for fraud monitoring and responding to fraud. These rules will further defend systems and reduce opportunities for digital identity theft.

My Lords, I am sorry, but this is a broad-ranging set of amendments, so I need to intervene on this one as well. When the Minister does his will write letter in response to today’s proceedings, could he tell us what guidance there is to the police on this? Because when the individual, Mr Arron, approached the police, they said, “Oh, sorry, there’s nothing we can do; identity theft is not a criminal offence”. The Minister seems to be saying, “No, it is fine; it is all encompassed within these provisions”. While he may be saying that, and I am sure he will be shouting it from the rooftops in the future, the question is whether the police have guidance; does the College of Policing have guidance and does the Home Office have guidance? The ordinary individual needs to know that it is exactly as the Minister says, and identity theft is covered by these other criminal offences. There is no point in having those offences if nobody knows about them.

That is absolutely fair enough: I will of course write. Sadly, we are not joined today by ministerial colleagues from the Home Office, who have some other Bill going on.

I have no doubt that its contribution to the letter will be equally enjoyable. However, for all the reasons I set out above, I am not able to accept these amendments and respectfully encourage the noble Baroness and noble Lords not to press them.

My Lords, I suppose I am meant to say that I thank the Minister for his response, but I cannot say that it was particularly optimistic or satisfying. On my amendments, the Minister said he would be responding to the DPRRC in due course, and obviously I am interested to see that response, but as the noble Lord, Lord Clement-Jones, said, the committee could not have been clearer and I thought made a very compelling case for why there should be some parliamentary oversight of this main code and, indeed, the fees arrangements.

I understand that it is a fast-moving sector, but the sort of things that the Delegated Powers Committee was talking about was that the main code should have some fundamental principles, some user rights and so on. We are not trying to spell out every sort of service that is going to be provided—as the Minister said, it is a fast-moving sector—but people need to have some trust in it and they need to know what this verification service is going to be about. Just saying that there is going to be a code, on such an important area, and that the Secretary of State will write it, is simply not acceptable in terms of basic parliamentary democracy. If it cannot be done through an affirmative procedure, the Government need to come up with another way to make sure that there is appropriate parliamentary input into what is being proposed here.

On the subject of the fees, the Delegated Powers Committee and our amendment was saying only that there should be a negative SI. I thought that was perfectly reasonable on its part and I am sorry that the Minister is not even prepared to accept that perfectly suggestion. All in all, I thought that the response on that element was very disappointing.

The response was equally disappointing on the whole issue that the noble Lords, Lord Kamall and Lord Vaux, raised about the right not to have to use the digital verification schemes but to do things on a non-digital basis. The arguments are well made about the numbers of people who are digitally excluded. I was in the debate that the noble Lord referred to, and I cannot remember the statistics now, but something like 17% of the population do not have proper digital access, so we are excluding a large number of people from a whole range of services. It could be applying for jobs, accessing bank accounts or applying to pay the rent for your son’s flat or whatever. We are creating a two-tier system here, for those who are involved and those who are on the margins who cannot use a lot of the services. I would have hoped that the Government would have been much more engaged in trying to find ways through that and providing some guarantees to people.

We know that we are taking a big leap, with so many different services going online. There is a lot of suspicion about how these services are going to work and people do not trust that computers are always as accurate as we would like them to be, so they would like to feel that there is another way of doing it if it all goes wrong. It worries me that the Minister is not able to give that commitment.

I have to say that I am rather concerned by what the Minister said about the private sector—in effect, that it can already have a requirement to have digital only. Surely, in this brave new world we are going towards, we do not want a digital-only service; this goes back to the point about a whole range of people being excluded. What is wrong with saying, even to people who collect people’s bank account details to pay their son’s rent, “There is an alternative way of doing this as well as you providing all the information digitally”? I am very worried about where all this is going, including who will be part of it and who will not. If the noble Lords, Lord Kamall and Lord Vaux, wish to pursue this at a later point, I would be sympathetic to their arguments.

On identity theft, the noble Lord, Lord Clement-Jones, made a compelling case. The briefing that he read out from the Metropolitan Police said that your data is one of your most valuable assets, which is absolutely right. He also rightly made the point that this is linked to organised crime. It does not happen by accident; some major people are farming our details and using them for all sorts of nefarious activities. There is a need to tighten up the regulation and laws on this. The Minister read out where he thinks this is already dealt with under existing legislation but we will all want to scrutinise that and see whether that really is the case. There are lots of examples of where the police have not been able to help people and do not know what their rights are, so we just need to know exactly what advice has been given to the police.

I feel that the Minister could have done more on this whole group to assure us that we are not moving towards a two-tier world. I will withdraw my amendment, obviously, but I have a feeling that we will come back to this issue; it may be something that we can talk to the Minister about before we get to Report.

Amendment 177 withdrawn.

Clause 53 agreed.

Clauses 54 to 59 agreed.

Clause 60: Fees for approval, re-approval and continued approval

Amendments 178 to 183 not moved.

Clause 60 agreed.

Clauses 61 and 62 agreed.

Clause 63: DVS register

Amendments 184 and 184A not moved.

Clause 63 agreed.

Clause 64: Registration of additional services

Amendment 185 not moved.

Clause 64 agreed.

Clause 65: Supplementary notes

Amendment 186 not moved.

Clause 65 agreed.

Clause 66: Addition of services to supplementary notes

Amendment 187 not moved.

Clause 66 agreed

Clause 67 agreed.

Clause 68: Fees for applications under sections 63 to 66

Amendments 188 to 195 not moved.

Clause 68 agreed.

Clauses 69 to 73 agreed.

Amendment 195ZA not moved.

Clauses 74 to 84 agreed.

Clause 85: Customer data and business data

Amendment 195A

Moved by

195A: Clause 85, page 108, line 38, at end insert—

“(v) the energy and carbon intensity of the goods, services or digital content),”Member’s explanatory statement

This adds carbon and energy intensity to the information that can be required to be provided as “business data”

My Lords, this is a very small and modest amendment, adding a fifth element to a list. Clause 85 is very long, so I will try to keep to its key elements. The clause

“confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data”.

It is particularly focused on information about

“the supply or provision of goods, services and digital content”

by a business. The four elements are these. The first is where it is “supplied or provided”; the second is “prices or other terms; the third is “how they are used”; and the fourth is “performance or quality”. That fourth element does not cover the specific issue that my modest Amendment 195A proposes to add: the energy and carbon intensity of goods, services or digital content.

This might be seen as an attempt at future-proofing and including something which is a fast-growing area of great consumer concern—it should be of government concern too in the light of the Climate Change Act and the Government’s responsibilities. It would add a modest piece of possibility. I stress that, as the explanatory statement says, this can be required; it does not demand that it has to be required, but it provides the possibility that it can be.

There is a parallel here. When you go into a shop to think about buying white goods because you need to replace a fridge or washing machine, you expect, as a matter of standard, to see an energy performance certificate that will tell you how much electricity it will use, or, in the case of gas cookers, how much energy. We now expect that as standard, but of course, that is not focused on what is in the appliance but on what it will use.

The other obvious example is energy performance certificates in relation to housing. Again, that is something that could probably be considerably improved, but there has been some step towards thinking about issues around energy use rather than what is put in. In that context of building, we are seeing a great deal of focus—and, increasingly, a great deal of planning focus —on the issue of embodied carbon in buildings. This is taking that further, in terms of goods, services and digital provision.

Perhaps the obvious reason why a future Government might want to do this is that, if we think of the many areas of this so-called green rating in environmental standards, we have seen a profusion of different standards, labels and models. That has caused considerable confusion and uncertainty for consumers. If a Government were to say that this was the kind of step that would be used, it would give a standard to apply across the digital fields that would be clearly understood and not open to gaming by bad actors, by just creating their own standard, and so on.

Take, for example, the Mintel sustainability barometer —it is a global study but is reflective, I think, of what is happening in the UK. Consumers are increasingly demanding this information; they really want to know the environmental impact, including the impact of the production of whatever they are purchasing. This is information that consumers really want.

The other thing that I would point to in terms of this future-proofing approach is the OECD’s Inclusive Forum on Carbon Mitigation Approaches. That is rather a mouthful. In February, it put out a study entitled—another mouthful—Towards more accurate, timely, and granular product-level carbon intensity metrics: A Scoping Note. That makes it clear that we are talking here about something that is for the future; something that is being developed, but developed fast. If we think about the Government’s responsibilities within the Climate Change Act and the public desire, this modest addition, providing the legislative framework for future action, is a small positive step. I beg to move.

My Lords, I shall speak to Amendment 218, which is in my name and those of the right reverend Prelate the Bishop of Oxford and the noble Baroness, Lady Parminter. I thank them for their support.

I apologise to the Minister, because I think this amendment is typical of the increasing way in which we will see environmental and particularly climate change issues popping up in Bills that belong not to Defra, DESNZ or DLUHC but to other departments. Because there is the fundamental issue of many economic and other activities impacting on these issues, that will be a pattern for Bills. He is playing on unfamiliar turf on this one, I am sure, so I sympathise with him.

“This amendment would require Ministers and public authorities, such as regulators”

when they make significant announcements about policy change, to disclose any analysis they have done of the

“impact of announcements … on UK climate change mitigation targets, adaptation to climate impacts and nature targets”.

The sorts of announcements that this amendment refers to include the introduction of primary legislation, obviously; changes to the timing, level and scope of government targets; large public sector procurement contracts; big infrastructure spending commitments; and any other policies that have the potential to have significant impact on climate and nature targets and climate change adaptation.

I firmly believe, and I have the support of the clerks, that this accords with the provision in the Long Title of the Bill

“to make provision about the disclosure of information to improve public service delivery”

The information disclosed has to be accurate, timely and machine-readable. The Secretary of State would give guidance on the format of that disclosure following wide consultation with those involved, especially across all departments, because it will be an issue that involves all departments.

So why is the amendment needed? At the moment, the Government are required to publish a whole load of reports on environmental impacts but many of them are periodic, or possibly only annual and high level. For example, the Government are required to publish periodic high-level delivery plans on net zero under Sections 13 and 14 of the Climate Change Act. However, these leave unquantified many emissions savings and they are not revised at all when policies change.

The Government recently decided to delay the date of a ban on new fossil fuel cars and vans; to delay the proposed ban on further installation of oil, LPG and coal heating systems; and to delay the rollout of the clean heat market mechanism. The Government failed to report any greenhouse gas impacts from these measures, which were pretty substantial announcements. Indeed, the Secretary of State for DESNZ argued that it would not be appropriate, or a requirement, to update and publish a revised version of the carbon budget delivery plan every time that there was a change in policy. That is not what this amendment argues for; it reflects that one would think that, when such significant announcements were being made, the Government would have looked at what the impact on climate change issues would be.

The amendment would simply require the Government to publish any analysis that they have done on impact assessments or to publish the fact that they have not done any such analysis—one can draw one’s own conclusions from the fact that they have not done that. The Environmental Audit Committee in the other place, around the time of the announcements of which I gave examples, went so far as to challenge the Prime Minister to provide clarity on how the Government intended to fill the emission reduction gap caused by the proposed rollback of existing policies and did not get a satisfactory answer.

There are similar current arrangements for reports on adaptation and resilience to climate change. Section 56 and 58 of the Climate Change Act require, again, periodic reporting at a high level on adaptation to climate change. That legislation has not been updated when policies have changed. As far as the introduction of new legislation is concerned, Section 20 of the Environment Act requires a statement on environmental law by government when there is environmental content in any new Bill. However, we already know from bitter experience that the Government interpret “environmental content” rather tightly.

All but one of the 28 Bills considered by Parliament in this current Session stated that they did not contain environmental law at all, whereas we can see that several of them have a clear environmental impact. For example, the Economic Activity of Public Bodies (Overseas Matters) Bill—I should be talking now about an amendment on it across the way, as indeed, should the noble Baroness, Lady Bennett—could prevent public bodies from taking important environmental matters into account in their decision-making. However, at the time of that Bill being published, it was certified by Ministers as not containing any environmental law.

Currently, the Government publish impact assessments for new legislation, including environmental impact assessments where the proposals are expected to have an environmental impact. Again, this is interpreted very tightly by the Government. Of the 28 government Bills that we have considered in this Session, 24 reported negligible impact, zero impact or being not applicable in the greenhouse gas box of the appraisal form—or the whole box was left blank. No account was available of the evidence on which such ratings of not having any impact was based because we did not then get any environmental impact assessment. To give one example: the Offshore Petroleum Licensing Bill simply reported that impacts were not quantified, which is pretty staggering, bearing in mind the clear environmental implications of that Bill. One would think that licensing additional petroleum extraction from the North Sea has some environmental ramification.

We have talked about climate change impacts and adaptation impacts, and we have talked about legislation. With regard to public procurement, the Government and contracting authorities are not required to publish the greenhouse gas emissions associated with individual procurement contracts. We argued that one in the Procurement Bill and failed to get any movement. There is a procurement policy note guiding government departments to seek emission reductions plans from the firms that they are contracting with, but this is a non-statutory note—it is advice only—and it covers only the contracting companies’ own operations and not the impact emissions of the products of services being contracted for.

All this paints a picture, I hope, and it is not one of rigorous and open reporting, which the Government’s own net-zero review called for. In March 2021, the Public Accounts Committee also highlighted that government was not clear on how net zero would be given adequate weight in the assessment of government policies and projects. This amendment and reporting requirement would help to fill a little of that gap. It does not require huge additional analysis by the Government simply to report what analysis has been done on the climate and other environmental impacts of the announcements. As I said previously, if that report simply is that no analysis has been done, that would be equally illuminating.

This is a slightly disparate group of amendments. I have added my name in support of Amendment 296, tabled by the noble Baroness, Lady Jones of Whitchurch, which once again probes the question of whether this Bill risks causing the loss of the data adequacy ruling from the EU. This was an issue raised by many, if not most, noble Lords during Second Reading, and it is an area in which the Government’s position feels a little complacent.

The data adequacy ruling from the EU is extremely important, as the impact assessment that accompanies the Bill makes clear. It says:

“Cross-border data transfers are a key facilitator of international trade, particularly for digitised services. Transfers underpin business transactions and financial flows. They also help streamline supply chain management and allow business to scale and trade globally”.

The impact assessment then goes on to estimate the costs of losing data adequacy, and indicates a net present value cost range of between £1.6 billion and £3.4 billion over the next 10 years. As an aside, I note that that is a pretty wide range, which perhaps indicates the extent to which the costs are really understood.

The impact assessment notes that these numbers are the impact on direct trade only and that the impact may be larger still when considering supply chain impacts, but it does not make any attempt to calculate that effect. There are big potential costs, however we look at it. It therefore seems extraordinary that the impact assessment, despite running to 240 pages, makes no attempt at all to quantify the probability that the EU might decide—and it is a unilateral EU decision—to withdraw the data adequacy ruling, which it can do at any time, even before the current ruling comes to an end in July 2025. I find it extraordinary that no attempt has been made to estimate the probability of that happening. You would think that, if the Government were as confident as they say they are, they should have some evidence as to the probability of it happening.

Noble Lords should be aware that this means that the potential cost of the loss of data adequacy is not included in the NPV analysis for the Bill. If that loss did occur, the net present value of the Bill would be largely wiped out, and if the lower end of the IA range is taken, the Bill’s overall financial impact becomes a net present cost to the tune of £2.1 billion. The retention of the EU data adequacy ruling is therefore key to retaining any real benefit from this Bill at all.

On Monday, the Minister said:

“We believe they are compatible with maintaining our data adequacy decisions from the EU. We have maintained a positive, ongoing dialogue with the EU to make sure that our reforms are understood. We will continue to engage with the European Commission at official and ministerial levels with a view to ensuring that our respective arrangements for the free flow of personal data can remain in place, which is in the best interests of both the UK and the EU”.—[Official Report, 15/4/24; col. GC 261.]

By “they”, he means the measures in the Bill. So far, so good. But your Lordships will remember that, at the time of Brexit, there was actually considerable doubt as to whether we would be granted a data adequacy ruling at that time, when our rules were almost entirely convergent. This Bill increases divergence, so the approach at the moment seems complacent at best.

I do not think it is any surprise at all that our European Affairs Committee recently launched an inquiry into this very subject. While the Minister has said how confident he is, noises being made in the EU are less encouraging. For example, the chair of the European Parliament’s Civil Liberties, Justice and Home Affairs Committee wrote in February to the European Commissioner for Justice outlining his concerns about this Bill and questioning whether it will meet the requirements of “essential equivalence”, which is the test that we have to meet. He highlighted, in particular, the lack of independence of the Information Commissioner’s Office, and the elimination of the Biometrics and Surveillance Camera Commissioner, something we will come on to a little later.

It does not seem to be a given that data adequacy will be retained, despite the frankly rather woolly assurances from the Minister about his confidence. Given the enormous importance of the data adequacy ruling, and the fact that the impact assessment makes no attempt at all to assess the probability of retaining or losing it—something one would think to be really fundamental when deciding the extent of divergence we wish to follow—it must make sense to introduce the assessment proposed in Amendment 296. In the absence of something much stronger than the assurances the Minister has given so far, I urge the noble Baroness, Lady Jones, to return to this matter on Report: it is really fundamental.

My Lords, this group has three amendments within it and, as the noble Lord, Lord Vaux, said, it is a disparate group. The first two seem wholly benign and entirely laudable, in that they seek to ensure that concerns about the environmental impacts related to data connected to business are shared and provided. The noble Baroness, Lady Bennett, said hers was a small and modest amendment: I agree entirely with that, but it is valuable nevertheless.

If I had to choose which amendment I prefer, it would be the second, in the name of my noble friend Lady Young, simply because it is more comprehensive and seems to be of practical value in pursuing policy objectives related to climate change mitigation. I cannot see why the disclosure of an impact analysis of current and future announcements, including legislation, changes in targets and large contracts, on UK climate change mitigation targets would be a problem. I thought my noble friend was very persuasive and her arguments about impact assessment were sound. The example of offshore petroleum legislation effectively not having an environmental impact assessment when its impacts are pretty clear was a very good one indeed. I am one of those who believes that environmental good practice should be written all the way through, a bit like a stick of Brighton rock, and I think that about legislation. It is important that we take on board that climate change is the most pressing issue that we face for the future.

The third amendment, in the name of my noble friend Lady Jones, is of a rather different nature, but is no less important, as it relates to the UK’s data adequacy and the EU’s decisions on it. We are grateful to the noble Lords, Lord Vaux of Harrowden and Lord Clement-Jones, for their support. Put simply, it would oblige the Secretary of State to complete an assessment, within six months of the Bill’s passing,

“of the likely impact of the Act on the EU’s data adequacy decisions relating to the UK”.

It would oblige the Secretary of State to lay a report on the assessment’s findings, and the report must cover data risk assessments and the impact on SMEs. It must also include an estimate of the legislation’s financial impact. The noble Lord, Lord Vaux, usefully underlined the importance of this, with its critical 2025 date. The amendment also probes

“whether the Government anticipate the provisions of the Bill conflicting with the requirements that need to be made by the UK to maintain a data adequacy decision by the EU”.

There is widespread and considerable concern about data adequacy and whether the UK legislative framework diverges too far from the standards that apply under the EU GDPR. The risk that the UK runs in attempting to reduce compliance costs for the free flow of personal data is that safeguards are removed to the point where businesses and trade become excessively concerned. In summary, many sectors including manufacturing, retail, health, information technology and particularly financial services are concerned that the free flow of data between us and the EU, with minimal disruption, will simply not be able to continue.

As the noble Lord, Lord Vaux, underlined, it is important that we in the UK have a relationship of trust with the European Commission on this, although ultimately data adequacy could be tested in the Court of Justice of the European Union. Data subjects in the EU can rely on the general principle of the protection of personal data to invalidate EU secondary and domestic law conflicting with that principle. Data subjects can also rely on the Charter of Fundamental Rights to bring challenges. Both these routes were closed off when the UK left the EU and the provisions were not saved in UK law, so it can be argued that data protection rights are already at a lower standard than across the European Union.

It is worth acknowledging that adequacy does not necessarily require equivalence. We can have different, and potentially lower, standards than the EU but, as long as those protections are deemed to meet whatever criteria the Commission chooses to apply, it is all to the good.

However, while divergence is possible, the concern that we and others have is that the Bill continues chipping away at standards in too many different ways. This chipping away is also taking place in statutory instruments, changes to guidance and so on. If His Majesty’s Government are satisfied that the overall picture remains that UK regulation is adequate, that is welcome, but it would be useful to know what mechanism DSIT and the Government generally intend using to measure where the tipping point might be achieved and how close these reforms take us to it.

The Committee will need considerable reassurance on the question of data adequacy, not least because of its impact on businesses and financial services in the longer term. At various times, the Minister has made the argument that a Brexit benefit is contained within this legislation. If he is ultimately confident of that case, what would be the impact on UK businesses if that assessment is wrong in relation to data adequacy decisions taken within the EU?

We are going to need more than warm words and a recitation that “We think it’s right and that we’re in the right place on data adequacy”. We are going to need some convincing. Whatever the Minister says today, we will have to return to this issue on Report. It is that important for businesses in this country and for the protection of data subjects.

My Lords, these amendments have been spoken to so well that I do not need to spend a huge amount of time repeating those great arguments. Both Amendment 195A, put forward by the noble Baroness, Lady Bennett, and Amendment 218 have considerable merit. I do not think that they conflict; they are complementary, in many respects.

Awareness raising is important to this, especially in relation to Amendment 218. For instance, if regulators are going to have a growth duty, which looks like it is going to happen, why not have countervailing duties relating to climate change, as the noble Baroness, Lady Young, put forward so cogently as part of Amendment 218? Amendment 195A also has considerable merit in raising awareness in the private sector, in traders and so on. Both have considerable merit.

However, this is about data adequacy. We have come to the point—it is an interesting point in our discussions because we have been leading up to this—where we have mentioned data adequacy a number of times. We have said to the Government, “You’re watering down these data subject rights”, and they have said, “Oh no we aren’t”. We have gone back and forth for the past four days in Committee. This debate is really the culmination of our discussions about the risk, if you add everything together.

Data adequacy is crucial to data flows from the EU to the UK. The noble Lords, Lord Vaux and Lord Bassam, put the case forward absolutely. It is a big issue for business; it has been raised with all of us so many times in relation to this Bill. The free flow of data from the UK to the EU is also crucial—it is not just one-way traffic. It is the first question that business raises about this Bill. Of course, we all remember vividly the enormous uncertainty created when the CJEU invalidated the US’s adequacy decisions, most recently in the case of Schrems II in July 2020. Nobody wants to go back to that, so losing adequacy is a significant worry.

One has to look at the test that the European Commission applies when it does an adequacy assessment. It includes

“the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law … the existence and effective functioning of one or more independent supervisory authorities in the third country … and … the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data”.

So, there are quite a number of points of vulnerability here. The UK is at a disadvantage here, in fact. If its data protection law were completely different from that of the EU, it would be much more difficult to weigh up whether it was, in essence, equivalent. Where the UK is clearly dropping its standards, it is easy to distinguish that the UK does not have an essentially equivalent standard of protection.

If you look closely at the elements that make up the finding of essential equivalence for the UK, you will see that some of them have already been removed or run the risk of being removed; others will go through the operation of the Bill. I am not going into great detail but the noble Lord, Lord Bassam, talked about chipping away. We are not talking about little ice-picks: we are talking about sledgehammers being taken to some of those data subject rights, including lowering the standard of protection for data subjects; the deletion of the concept of EU fundamental rights with the potential loss of CJEU case law, which interprets data protection law; and eroding the ICO’s independence. The impact of the proposed UK rules on automated decision-making is one area where the UK is clearly dropping its standards. We have also talked today about having the ability to lower protections using secondary legislation.

The noble Lord, Lord Vaux, talked about the ruminations that are taking place in Brussels—and not just in the Parliament. On 8 February 2023, the European Commissioner for Justice, Didier Reynders, answered a question in an interesting way. He said:

“In the context of that obligation”—

on data adequacy—

“the Commission has been in regular contact with representatives of the UK government since the early stages of the UK’s reform of its data protection legislation. These contacts have been helpful for a better understanding of the content and scope of the amendments proposed in the Data Protection and Digital Information Bill. While a number of those amendments are aimed at clarifying the existing framework, some specific proposals would—if adopted—raise questions with respect to the level of protection. This is, for example, the case for the amendments that would affect the independence of the UK’s data protection authority, the Information Commissioner, as well as for the proposal to give to the Secretary of State the power to recognise in the future certain interests of the data controller as a legal basis for processing (so-called ‘legitimate interests’) without any limitation and without the need for a balancing against the rights and interests of the individual. The Commission has repeatedly raised these concerns with the UK government and will continue to closely monitor how the Bill evolves in the parliamentary process.”

So no pressure.

Adding that to what the noble Lord, Lord Vaux, talked about when he mentioned the chairman of the European Parliament’s Civil Liberties, Justice and Home Affairs Committee, the Government should not think that they can simply water down data subject rights and ramp up the Secretary of State’s rights without it being noticed across the water and without consequences. That is why they need to think carefully about this Bill and accept the amendment in the name of the noble Baroness, Lady Jones, which is the least we can do, quite apart from scrapping the Bill.

My Lords, I thank the noble Baronesses, Lady Bennett, Lady Young of Old Scone and Lady Jones, for their proposed amendments on extending the definition of business data in smart data schemes, the disclosure of climate and nature information to improve public service delivery and the publication of an EU adequacy risk assessment.

On Amendment 195A, we consider that information about the carbon and energy intensity of goods, services or digital content already falls within the scope of “business data” as information about goods, services and digital content supplied or provided by a trader. Development of smart data schemes will, where relevant, be informed by—among other things—the Government’s Environmental Principles Policy Statement, under the Environment Act 2021.

With regard to Amendment 218, I thank the noble Baroness, Lady Young of Old Scone, for her sympathies; they are gratefully received. I will do my best in what she correctly pointed out is quite a new area for me. The powers to share information under Part 5 of the Digital Economy Act 2017—the DEA—are supplemented by statutory codes of practice. These require impact assessments to be carried out, particularly for significant changes or proposals that could have wide-ranging effects on various sectors or stakeholders. These impact assessments are crucial for understanding the implications of the Digital Economy Act and ensuring that it achieves its intended objectives, while minimising any negative consequences for individuals, businesses and society as a whole. As these assessments already cover economic, social and environmental impact, significant changes in approach are already likely to be accounted for. This is in addition to the duty placed on Ministers by the Environment Act 2021 to have due regard to the Environmental Principles Policy Statement.

Lastly, turning to Amendment 296, the Government are committed to maintaining their data adequacy decisions from the EU, which we absolutely recognise play a pivotal role in enabling trade and fighting crime. As noble Lords alluded to, we maintain regular engagement with the European Commission on the Bill to ensure that our reforms are understood.

The EU adequacy assessment of the UK is, of course, a unilateral, autonomous process for the EU to undertake. However, we remain confident that our reforms deliver against UK interests and are compatible with maintaining EU adequacy. As the European Commission itself has made clear, a third country—the noble Lord, Lord Clement-Jones, alluded to this point—is not required to have the same rules as the EU to be considered adequate. Indeed, 15 countries have EU adequacy, including Japan, Israel and the Republic of Korea. All these nations pursue independent and, often, more divergent approaches to data protection.

The Government will provide both written and oral evidence to the House of Lords European Affairs Committee inquiry on UK-EU data adequacy and respond to its final report, which is expected to be published in the summer. Many expert witnesses already provided evidence to the committee and have stated that they believe that the Bill is compatible with maintaining adequacy.

As noble Lords have noted, the Government have published a full impact assessment alongside the Bill, which sets out in more detail what both the costs and financial benefits of the Bill would be—including in the unlikely scenario of the EU revoking the UK’s adequacy decision. I also note that UK adequacy is good for the EU too: every EU company, from multinationals to start-ups, with customers, suppliers or operations in the UK relies on EU-UK data transfers. Leading European businesses and organisations have consistently emphasised the importance of maintaining these free flows of data to the UK.

For these reasons, I hope that the noble Baronesses will agree to withdraw or not move these amendments.

The Minister made the point at the end there that it is in the EU’s interest to agree to our data adequacy. That is an important point but is that what the Government are relying on—the fact that it is in the EU’s interest as much as ours to continue to agree to our data adequacy provisions? If so, what the Minister has said does not make me feel more reassured. If the Government are relying on just that, it is not a particularly strong argument.

Before the Minister stands up, let me just say that I absolutely agree with what the noble Lord, Lord Bassam, said. Have the Government taken any independent advice? It is easy to get wrapped up in your own bubble. The Government seem incredibly blithe about this Bill. You only have to have gone through our days in this Committee to see the fundamental changes that are being made to data protection law, yet the Government, in this bubble, seem to think that everything is fine despite the warnings coming from Brussels. Are they taking expert advice from outside? Do they have any groups of academics, for instance, who know about this kind of thing? It is pretty worrying. The great benefit of this kind of amendment, put forward by the noble Baroness, Lady Jones, is that nothing would happen until we were sure that we were going to be data adequate. That seems a fantastic safeguard to me. If the Government are just flying blind on this, we are all in trouble, are we not?

My Lords, can I point out, on the interests of the EU, that it does not go just one way? There is a question around investment as well. For example, any large bank that is currently running a data-processing facility in this country that covers the whole of Europe may decide, if we lose data adequacy, to move it to Europe. Anyone considering setting up such a thing would probably go for Europe rather than here. There is therefore an investment draw for the EU here.

I do not know what I could possibly have said to create the impression that the Government are flying blind on this matter. We continue to engage extensively with the EU at junior official, senior official and ministerial level in order to ensure that our proposed reforms are fully understood and that there are no surprises. We engage with multiple expert stakeholders from both the EU side and the UK side. Indeed, as I mentioned earlier, a number of experts have submitted evidence to the House’s inquiry on EU-UK data adequacy and have made clear their views that the DPDI reforms set out in this Bill are compatible with EU adequacy. We continue to engage with the EU throughout. I do not want to be glib or blithe about the risks; we recognise the risks but it is vital—

Yes. I would be happy to provide a list of the people we have spoken to about adequacy; it may be a long one. That concludes the remarks I wanted to make, I think.

Perhaps the Minister could just tweak that a bit by listing not just the people who have made positive noises but those who have their doubts.

My Lords, I thank the Minister for his answer. This has been a fairly short but fruitful debate. We can perhaps commend the Minister for his resilience, although it feels like he was pounded back on the ropes a few times along the way.

I will briefly run through the amendments. I listened carefully to the Minister, although I will have to read it back in Hansard. I think he was trying to say that my Amendment 195A, which adds energy and carbon intensity to this list, is already covered. However, I really cannot see how that can be claimed to be the case. The one that appears to be closest is sub-paragraph (iv), which refers to “performance or quality”, but surely that does not include energy and carbon intensity. I will consider whether to come back to this issue.

The noble Baroness, Lady Young of Old Scone, presented a wonderfully clear explanation of why Amendment 218 is needed. I particularly welcome the comments from the noble Lord, Lord Bassam, expressing strong Labour support for this. Even if the Government do not see the light and include it in the Bill, I hope that the noble Lord’s support can be taken as a commitment that a future Labour Government intend to follow that practice in all their approaches.

I am sure that we will revisit this at some point in future. Perhaps the noble Lord will like the fact that I am saying that it is certain that we will revisit it from a different place.

These are all really serious amendments. This is a long Committee stage but, in the whole issue of data, having regard to data adequacy is absolutely crucial, as the degree of intervention on the Minister indicated. The Green Party’s position is that we want to be rejoin-ready: we want to remain as close as possible to EU standards so that we can rejoin the EU as soon as possible.

Even without taking that approach, this is a crucial issue as so many businesses are reliant on this adequacy ruling. I was taken by a comment from the Minister, who said that the UK is committed to data adequacy. The issue here is not what the UK is saying but convincing the EU, which is not in our hands or under our control, as numerous noble Lords said.

I have no doubt that we will return to data adequacy and I hope that we will return to the innovative and creative intervention from the noble Baroness, Lady Young of Old Scone. In the meantime, I beg leave to withdraw Amendment 195A.

Amendment 195A withdrawn.

Clause 85 agreed.

Clauses 86 to 95 agreed.

Clause 96: Levy

Amendment 196

Moved by

196: Clause 96, page 123, line 42, after “holders” insert “, authorised persons or third party recipients”

Member's explanatory statement

This amendment provides that the restriction in clause 96(3) on the exercise of the regulation-making power in clause 96(1) (power to impose a levy) applies in connection with regulations imposing a levy on authorised persons or third party recipients as well as regulations imposing a levy on data holders.

Amendment 196 agreed.

Clause 96, as amended, agreed.

Clauses 97 to 102 agreed.

Clause 103: Regulations under this Part

Amendment 197

Moved by

197: Clause 103, page 131, line 7, at end insert—

“(9A) The requirement in subsection (9) may be satisfied by consultation undertaken before the coming into force of this section.”Member's explanatory statement

This amendment makes clear that the requirement under clause 103(9) to consult before making regulations described in clause 103(7) may be satisfied by consultation carried out before clause 103 comes into force.

Amendment 197 agreed.

Clause 103, as amended, agreed.

My Lords, for the convenience of the Committee and in view of the forthcoming votes, I think it would be helpful to pause here and return after the two votes have taken place. Is that agreeable?

My Lords, I would much rather not. We are due to end at 8.15 pm and I should like to hold to that. We seem to have some while before anything is going to happen. Shall we not just make progress?

Moved by

197A: After Clause 103, insert the following new Clause—

“Oversight of biometric technology use by the Information Commission(1) The Information Commission must establish a Biometrics Office.(2) The Biometrics Office is to be constituted by a committee of three appointed commissioners with relevant expertise.(3) It is the function of the Biometrics Office to—(a) establish and maintain a public register of relevant entities engaged in processing the biometric data of members of the public; (b) oversee and review the biometrics use of relevant entities;(c) produce a Code of Practice for the use of biometric technology by registered parties, which must include—(i) compulsory standards of accuracy and reliability for biometric technologies;(ii) a requirement for the proportionality of biometrics use to be assessed prior to use and annually thereafter, and a procedure for such assessment;(iii) a procedure for individual complaints about the use of biometrics by registered parties;(d) receive and publish annual reports from all relevant entities, which includes the relevant entity’s proportionality assessment of their biometrics use;(e) enforce registration and reporting by the issuing of enforcement notices and, where necessary, the imposition of fines for non-compliance with the registration and reporting requirements;(f) ensure lawfulness of biometrics use by relevant entities, including by issuing compliance and abatement notices where necessary.(4) The Secretary of State may by regulations add to the responsibilities of the Biometrics Office.(5) Regulations made under subsection (4) are subject to the affirmative resolution procedure.(6) For the purposes of this Part, “relevant entity” means any organisation or body corporate (whether public or private) which processes biometric data as defined in Article 9 GDPR, other than where the biometric processing undertaken by the organisation or body corporate is otherwise overseen by the Investigatory Powers Commissioner, because it is—(a) for the purposes of making or renewing a national security determination as defined by section 20(2) of the Protection of Freedoms Act 2012, or(b) for the purposes set out in section 20(6) of the Protection of Freedoms Act 2012.”

My Lords, it is a pleasure to take part in today’s Committee proceedings. I declare my technology interests as an adviser to Boston Limited. It is self-evident that we have been talking about data but there could barely be a more significant piece of data than biometrics. In moving the amendment, I shall speak also to Amendments 197B and 197C, and give more than a nod to the other amendments in this group.

When we talk about data, it is always critical that we remember that it is largely our data. There could be no greater example of that than biometrics. More than data, they are parts and fragments of our very being. This is an opportune moment in the debate on the Bill to strengthen the approach to the treatment and the use of biometrics, not least because they are being increasingly used by private entities. That is what Amendments 197A to 197C are all about—the establishment of a biometrics office, a code of practice and oversight, and sanctions and fines to boot. This is of that level of significance. The Bill should have that strength when we are looking at such a significant part of our very human being and data protection.

Amendment 197B looks at reporting and regulatory requirements, and Amendment 197C at the case for entities that have already acted in the biometrics space prior to the passage of the Bill. In short, it is very simple. The amendments take principles that run through many elements of data protection and ensure that we have a clear statement on the use and deployment of biometrics in the Bill. There could be no more significant pieces of data. I look forward to the Minister’s response. I thank the Ada Lovelace Institute for its help in drafting the amendments, and I look forward to the debate on this group. I beg to move.

My Lords, I have added my name in support of the stand part notices of the noble Lord, Lord Clement-Jones, to Clauses 147, 148 and 149. These clauses would abolish the office of the Biometrics and Surveillance Camera Commissioner, along with the surveillance camera code of practice. I am going to speak mainly to the surveillance camera aspect, although I was taken by the speech of the noble Lord, Lord Holmes, who made some strong points.

The UK has become one of the most surveilled countries in the democratic world. There are estimated to be over 7 million CCTV cameras in operation. I give one example: the automated number plate recognition, ANPR, system records between 70 million and 80 million readings every day. Every car is recorded on average about three times a day. The data is held for two years. The previous Surveillance Camera Commissioner, Tony Porter, said about ANPR that it,

“must surely be one of the largest data gatherers of its citizens in the world. Mining of meta-data—overlaying against other databases can be far more intrusive than communication intercept”.

Professor Sampson, the previous commissioner, said about ANPR:

“There is no ANPR legislation or act, if you like. And similarly, there is no governance body to whom you can go to ask proper questions about the extent and its proliferation, about whether it should ever be expanded to include capture of other information such as telephone data being emitted by a vehicle or how it's going to deal with the arrival of automated autonomous vehicles”.

And when it came to independent oversight and accountability, he said:

“I’m the closest thing it’s got—and that’s nothing like enough”.

I am not against the use of surveillance cameras per se—it is unarguable that they are a valuable tool in the prevention and detection of crime—but there is clearly a balance to be found. If we chose to watch everything every person does all of the time, we could eliminate crime completely, but nobody is going to argue that to be desirable. We can clearly see how surveillance and biometrics can be misused by states that wish to control their populations—just look at China. So there is a balance to find between the protection of the public and intrusion into privacy.

Technology is moving incredibly rapidly, particularly with the ever-increasing capabilities of Al. As technology changes, so that balance between protection and privacy may also need to change. Yet Clause 148 will abolish the only real safeguards we have, and the only governance body that keeps an eye on that balance. This debate is not about where that balance ought to be; it is about making sure that there is some process to ensure that the balance is kept under independent review at a time when surveillance technologies and usage are developing incredibly rapidly.

I am sure that the Minister is going to argue that, as he said at Second Reading:

“Abolishing the Surveillance Camera Commissioner will not reduce data protection”.—[Official Report, 19/12/23; col. 2216.]

He is no doubt going to tell us that the roles of the commissioner will be adequately covered by the ICO. To be honest that completely misses the point. Surveillance is not just a question of data protection; it is a much wider question of privacy. Yes, the ICO may be able to manage the pure data protection matters, but it cannot possibly be the right body to keep the whole question of surveillance and privacy intrusion, and the related technologies, under independent review.

It is also not true that all the roles of the commissioner are being transferred to other bodies. The report by the Centre for Research into Surveillance and Privacy, or CRISP, commissioned by the outgoing commissioner, is very clear that a number of important areas will be lost, particularly reviewing the police handling of DNA samples, DNA profiles and fingerprints; maintaining an up-to-date surveillance camera code of practice with standards and guidance for practitioners and encouraging compliance with that code; setting out technical and governance matters for most public body surveillance systems, including how to approach evolving technology, such as Al-driven systems including facial recognition technology; and providing guidance on technical and procurement matters to ensure that future surveillance systems are of the right standard and purchased from reliable suppliers. It is worth noting that it was the Surveillance Camera Commissioner who raised the issues around the use of Hikvision cameras, for example—not something that the ICO is likely to be able to do. Finally, we will also lose the commissioner providing reports to the Home Secretary and Parliament about public surveillance and biometrics matters.

Professor Sampson said, before he ended his time in office as commissioner:

“The lack of attention being paid to these important matters at such a crucial time is shocking, and the destruction of the surveillance camera code that we’ve all been using successfully for over a decade is tantamount to vandalism”.

He went on to say:

“It is the only legal instrument we have in this country that specifically governs public space surveillance. It is widely respected by the police, local authorities and the surveillance industry in general … It seems absolutely senseless to destroy it now”.

The security industry does not want to see these changes either, as it sees the benefits of having a clear code. The Security Systems and Alarms Inspection Board, said:

“Without the Surveillance Camera Commissioner you will go back to the old days when it was like the ‘wild west’, which means you can do anything with surveillance cameras so long as you don’t annoy the Information Commissioner … so, there will not be anyone looking at new emerging technologies, looking at their technical requirements or impacts, no one thinking about ethical implications for emerging technologies like face-recognition, it will be a free-for-all”.

The British Security Industry Association said:

“We are both disappointed and concerned about the proposed abolition of the B&SCC. Given the prolific emergence of biometric technologies associated with video surveillance, now is a crucial time for government, industry, and the independent commissioner(s) to work close together to ensure video surveillance is used appropriately, proportionately, and most important, ethically”.

I do not think I can put it better than that.

While there may be better ways to achieve the appropriate safeguards than the current commissioner arrangement, this Bill simply abolishes everything that we have now and replaces the safeguards only partially, and only from a data protection perspective. I am open to discussion about how we might fill the gaps, but the abolition currently proposed by the Bill is a massively retrograde and even dangerous step, removing the only safeguards we have against the uncontrolled creep towards ever more intrusive surveillance of innocent people. As technology increases the scope for surveillance, this must be the time for greater safeguards and more independent oversight, not less. The abolition of the commissioner and code should not happen unless there are clear, better, safeguards established to replace it, and this Bill simply does not do that.

My Lords, I want to speak briefly in support of, first, the amendments in the name of my noble friend Lord Holmes, which would recreate the office of the Biometrics and Surveillance Camera Commissioner.

As I have done on a number of occasions, I shall tell a short story; it is about the Human Fertilisation and Embryology Authority. Noble Lords may wonder why I am starting there. I remember very clearly one of the first debates that I participated in when I was at university—far too long ago. It was at the Oxford Union, and Dame Mary Warnock came to speak about what was then a highly contentious use of new technology. In this country, we had that debate early; we established an authority to oversee what are very complex scientific and ethical issues. It has remained a settled issue in this country that has enabled many families to bear children, bringing life and joy to people in a settled and safe way.

This data issue is quite similar, I think. Other countries did not have that early debate, which I remember as a teenager, and did not establish a regulator in the form of the HFEA. I point to the US, which was torn apart by those very issues. As the noble Lord, Lord Vaux, has just set out, the public are very concerned about the use of biometric data. This is an issue that many sci-fi novels and films have been made about, because it preys on our deepest fears. I think that technology can be hugely valuable to society, but only if we build and maintain trust in it. In order to do that, you need consistent, long-standing, expert regulation.

Like the noble Lord, Lord Vaux, I do not understand why the changes that this Bill brings will make things better. It narrows the scope of protection to data protection only when, actually, the issues are much broader, much subtler and much more sophisticated. For that reason and that reason alone, I think that we need to remove these clauses and reinstate the regulator that exists today.

My Lords, I find myself in a fortunate position: we have made progress fast enough to enable me to go from one end of the Room to the other and play a modest part in this debate. I do so because, at an earlier stage, I identified the amendments tabled by the noble Lord, Lord Holmes, and I very much wish to say a few words in support of them.

Reference has already been made to the briefing that we have had from CRISP. I pay tribute to the authors of that report—I do not need to read long chunks of it into the record—and am tempted to follow the noble Lord in referring to both of them. I sometimes wonder whether, had their report been officially available before the Government drafted the Bill, we would find ourselves in the position we are now in. I would like to think that that would have had an effect on the Government’s thinking.

When I first read about the Government’s intention to abolish the post of the Biometrics and Surveillance Camera Commissioner, I was concerned, but I am not technically adept to know enough about it in detail. I am grateful for the advice that I have had from CRISP and from Professor Michael Zander, a distinguished and eminent lawyer who is a Professor Emeritus at LSE. I am grateful to him for contacting me about this issue. I want to make a few points on his and its behalf.

In the short time available to me, this is the main thing I want to say. The Government argue that abolishing these joint roles will

“reduce duplication and simplify oversight of the police use of biometrics”.

Making that simpler and rationalising it is at the heart of the Government’s argument. It sounds as if this is merely a tidying-up exercise, but I believe that that is far from the case. It is fair to accept that the current arrangements for the oversight of public surveillance and biometric techniques are complex, but a report published on 30 October, to which noble Lords’ attention has already been drawn, makes a powerful case that what the Government intend to do will result in losses that are a great deal more significant than the problems caused by the complexity of the present arrangements. That is the paper’s argument.

The report’s authors, who produced a briefing for Members’ use today, have presented a mass of evidence and provided an impressively detailed analysis of the issues. The research underpinning the report includes a review of relevant literature, interviews with leading experts and regulators—

Sitting suspended for a Division in the House.

I do not have the benefit of seeing a Hansard update to know after which word I was interrupted and we had to leave to vote, so I will just repeat, I hope not unduly, the main point I was making at the time of the Division. This was that the central conclusion of the CRISP report is that the Government’s policy

“generates significant gaps in the formal oversight of biometrics and surveillance practices in addition to erasing many positive developments aimed at raising standards and constructive engagement with technology developers, surveillance users and the public”.

The reason I am very glad to support the noble Lord, Lord Holmes, in these amendments is that the complexities of the current regulatory landscape and the protections offered by the BSCC in an era of increasingly intensive advanced and intrusive surveillance mean that the abolition of the BSCC leaves these oversight gaps while creating additional regulatory complexity. I will be interested to see how the Minister defends the fact that this abolition is supposed to improve the situation.

I do not want to detain the Committee for very long, but I shall just read this one passage from the report into the record, because it is relevant to the debate we are having. We should not remove

“a mechanism for assuring Parliament and the public of appropriate surveillance use, affecting public trust and legitimacy at a critical moment concerning public trust in institutions, particularly law enforcement. As drafted, the Bill reduces public visibility and accountability of related police activities. The lack of independent oversight becomes amplified by other sections of the Bill that reduce the independence of the current Information Commissioner role”.

In short, I think it would be a mistake to abolish the biometrics commissioner, and on that basis, I support these amendments.

My Lords, it has been a pleasure to listen to noble Lords’ speeches in this debate. We are all very much on the same page and have very much the same considerations in mind. Both the protection of biometric data itself and also the means by which we regulate its use and have oversight over how it is used have been mentioned by everyone. We may have slightly different paths to making sure we have that protection and oversight, but we all have the same intentions.

The noble Lord, Lord Holmes, pointed to the considerable attractions of, in a sense, starting afresh, but I have chosen a rather different path. I think it was the noble Lord, Lord Vaux, who mentioned Fraser Sampson, the former Biometrics and Surveillance Camera Commissioner. I must admit that I have very high regard for the work he did, and also for the work of such people as Professor Peter Fussey of Essex University. Of course, a number of noble Lords have mentioned the work of CRISP in all this, which kept us very well briefed on the consequence of these clauses.

No one has yet spoken to the stand part notices on Clauses 130 to 132; I will come on to those on Clauses 147 to 149 shortly. The Bill would drastically change the way UK law enforcement agencies can handle biometric personal data. Clauses 130 to 132 would allow for data received from overseas law enforcement agencies to be stored in a pseudonymised, traceable format indefinitely.

For instance, Clause 130 would allow UK law enforcement agencies to hold biometric data received from overseas law enforcement agencies in a pseudonymised format. In cases where the authority ceases to hold the material pseudonymously and the individual has no previous convictions or only one exempt conviction, the data may be retained in a non-pseudonymous format for up to three years. Therefore, the general rule is indefinite retention with continuous pseudonymisation, except for a specific circumstance where non-pseudonymised retention is permitted for a fixed period. I forgive noble Lords if they have to read Hansard to make total sense of that.

This is a major change in the way personal data can be handled. Permitting storage of pseudonymised or non-pseudonymised data will facilitate a vast biometric database that can be traced back to individuals. Although this does not apply to data linked to offences committed in the UK, it sets a concerning precedent for reshaping how law enforcement agencies hold data in a traceable and identifiable way. It seems that there is nothing to stop a law enforcement agency pseudonymising data just to reattach the identifying information, which they would be permitted to hold for three years.

The clauses do not explicitly define the steps that must be taken to achieve pseudonymisation. This leaves a broad scope for interpretation and variation in practice. The only requirement is that the data be pseudonymised

“as soon as reasonably practicable”,

which is a totally subjective threshold. The collective impact of these clauses, which were a late addition to the Bill on Report in the Commons, is deeply concerning. We believe that these powers should be withdrawn to prevent a dangerous precedent being set for police retention of vast amounts of traceable biometric data.

The stand part notices on Clauses 147 to 149 have been spoken to extremely cogently by the noble Lord, Lord Vaux, the noble Viscount, Lord Stansgate, and the noble Baroness, Lady Harding. I will not repeat a great deal of what they said but what the noble Baroness, Lady Harding, said about the Human Fertilisation and Embryology Authority really struck a chord with me. When we had our Select Committee on Artificial Intelligence, we looked at models for regulation and how to gain public trust for new technologies and concepts. The report that Baroness Warnock did into fertilisation and embryology was an absolute classic and an example of how to gain public trust. As the noble Baroness, Lady Harding, said, it has stood the test of time. As far as I am concerned, gaining that kind of trust is the goal for all of us.

What we are doing here risks precisely the reverse by abolishing the office of the Biometrics and Surveillance Camera Commissioner. This was set up under the Protection of Freedoms Act 2012, which required a surveillance camera commissioner to be appointed and a surveillance camera code of practice to be published. Other functions of the Biometrics and Surveillance Camera Commissioner are in essence both judicial and non-judicial. They include developing and encouraging compliance with the surveillance camera code of practice; raising standards for surveillance camera developers, suppliers and users; public engagement; building legitimacy; reporting annually to Parliament via the Home Secretary; convening expertise to support these functions; and reviewing all national security determinations and other powers by which the police can retain biometric data. The Bill proposes to erase all but one—I stress that—of these activities.

The noble Lord, Lord Vaux, quoted CRISP. I will not repeat the quotes he gave but its report, which the noble Viscount, Lord Stansgate, also cited, warns that

“plans to abolish and not replace existing safeguards in this crucial area will leave the UK without proper oversight just when advances in artificial intelligence (AI) and other technologies mean they are needed more than ever”.

The Bill’s reduction of surveillance-related considerations to data protection compares unfavourably to regulatory approaches in other jurisdictions. Many have started from data protection and extended it to cover the wider rights-based implications of surveillance. Here, the Bill proposes a move in precisely the opposite direction. I am afraid this is yet another example of the Bill going entirely in the wrong direction.

My Lords, I thank all noble Lords who have contributed to what has been an excellent debate on this issue. We have all been united in raising our concerns about whether the offices of the biometrics commissioner and the surveillance camera commissioner should be abolished. We all feel the need for more independent oversight, not less, as is being proposed here.

As we know, the original plan was for the work of the biometrics commissioner to be transferred to the Information Commissioner, but when he raised concerns that this would result in the work receiving less attention, it was decided to transfer it to the Investigatory Powers Commissioner instead. Meanwhile, the office of the surveillance camera commissioner is abolished on the basis that these responsibilities are already covered elsewhere. However, like other noble Lords, we remain concerned that the transfer of this increasingly important work from both commissioners will mean that it does not retain the same level of expertise and resources as it enjoys under the current regime.

These changes have caused some alarm among civic society groups such as the Ada Lovelace Institute and the Centre for Research into Information Surveillance and Privacy, to which noble Lords have referred. They argue that we are experiencing a huge expansion in the reach of surveillance and biometric technology. The data being captured, whether faces, fingerprints, walking style, voice or the shape of the human body, are uniquely personal and part of our individual identity. The data being captured can enhance public safety but can also raise critical ethical concerns around privacy, free expression, bias and discrimination. As the noble Lord, Lord Vaux, said, we need a careful balance of those issues between protection and privacy.

The noble Baroness, Lady Harding, quite rightly said that there is increasing public mistrust in the use of these techniques, and that is why there is an urgent need to take people on the journey. The example the noble Baroness gave was vivid. We need a robust legal framework to underpin the use of these techniques, whether it is by the police, the wider public sector or private institutions. As it stands, the changes in the Bill do not achieve that reassurance, and we have a lot of lessons to learn.

Rather than strengthening the current powers to respond to the huge growth and reach of surveillance techniques, the Bill essentially waters down the protections. Transferring the powers from the BSCC to the new Information Commissioner brings the issue down to data protection when the issues of intrusion and the misuse of biometrics and surveillance are much wider than that. Meanwhile, the impact of Al will herald a growth of new techniques such as facial emotional appraisal and video manipulation, leading to such things as deep fakes. All these techniques threaten to undermine our sense of self and our control of our own personal privacy.

The amendment in the name of the noble Lord, Lord Holmes, takes up the suggestion, also made by the Ada Lovelace Institute, to establish a biometrics office within the ICO, overseen by three experienced commissioners. The functions would provide general oversight of biometric techniques, keep a register of biometric users and set up a process for considering complaints. Importantly, it would require all entities processing biometric data to register with the ICO prior to any use.

We believe that these amendments are a really helpful contribution to the discussion. They would place the oversight of biometric techniques in a more effective setting where the full impacts of these techniques can be properly monitored, measured and reported on. We would need more details of the types of work to be undertaken by these commissioners, and the cost implications but, in principle, we support these amendments because they seem to be an answer to our concerns. We thank the noble Lord for tabling them and very much hope the Minister will give the proposals serious consideration.

My Amendments 238 and 286 address another concern about the limitation of the current regime. This relates to how biometric techniques can sometimes be used or misused to classify people. The current definition of biometric data is limited to unique identification, such as photographs or fingerprints. Far more worrying is the application of these techniques to classify people, and put them in a particular box, without them knowing, in ways that could have long-lasting detriment on their lives. AI and large language models pose a particular threat in this regard. For example, apart from classifying the obvious physical traits, it could affect people’s access to jobs, and they could be targeted unfairly by the police or be subjected to persistent messaging and advertising over which they have no control.

When this was debated in the Commons, the Minister, John Whittingdale, argued that this was already covered by the GDPR, but I am not sure that is the case. The GDPR specifically focuses on individual data rights. Our amendment would amend the UK GDPR to extend the biometric data protections currently in place from simply identifying an individual to also identifying the classification applied to them. I therefore hope that the Minister can see the sense in these amendments, and I look forward to his response.

Finally, I am grateful to the noble Lord, Lord Clement-Jones, for his amendments and his contribution. I think that we are all on the same page here, sharing a concern about the abolition of the office of the Biometrics and Surveillance Camera Commissioner, and trying to find the best way to replace and enhance those protections. I thought that the noble Lord made a very strong case for his amendments in that regard.

I think that we are all in agreement, although we do not have the same wording. I think that with a little effort we could find that wording. These are important issues. I hope that the Minister can give a more positive response than to the last debate that I spoke in. We are going to carry on working on it, even if he does not want to—so I hope that we are able to make some progress on this issue.

I thank my noble friend Lord Holmes, the noble Baroness, Lady Jones, and the noble Lord, Lord Clement-Jones, as well as other co-signatories for detailed examination of the Bill through these amendments.

I begin by addressing Amendments 197A, 197B and 197C tabled by my noble friend Lord Holmes, which seek to establish a biometrics office responsible for overseeing biometric data use, and place new obligations on organisations processing such data. The Information Commissioner already has responsibility for monitoring and enforcing the processing of biometric data, and these functions will continue to sit with the new information commission, once established. For example, in March 2023 it investigated the use of live facial recognition in a retail security setting by Facewatch. In February 2024, it took action against Serco Leisure in relation to its use of biometric data to monitor attendance of leisure centre employees.

Schedule 15 to this Bill will also enable the information commission to establish committees of external experts with skills in any number of specialist areas, including biometrics, to provide specialist advice to the commission. Given that the Information Commissioner already has responsibility for monitoring and enforcing the processing of biometric data, the Government are therefore of the firm view that the information commission is best placed to continue to oversee the processing of biometric data. The Bill also allows the new information commission to establish specialist committees and require them to provide the commission with specialist advice. The committees may include specialists from outside the organisation, with key skills and expertise in specific areas, including biometrics.

The processing of biometric data for the purpose of uniquely identifying an individual is also subject to heightened safeguards, and organisations can process such data only if they meet one of the conditions of Article 9 of UK GDPR—for example, where processing is necessary to comply with employment law provisions, or for reasons of substantial public interest. Without a lawful basis and compliance with relevant conditions, such processing of biometric data is prohibited.

Amendments 197B and 197C in the name of my noble friend Lord Holmes would also impose new, prescriptive requirements on organisations processing, and intending to process, biometric data and setting unlimited fines for non-compliance. We consider that such amendments would have significant unintended consequences. There are many everyday uses of biometrics data, such as using your thumbprint to access your phone. If every organisation that launched a new product had to comply with the proposed requirements, it would introduce significant and unnecessary new burdens and would discourage innovation, undermining the aims of this Bill. For these reasons, I respectfully ask my noble friend not to move these amendments.

The Government deem Amendment 238 unnecessary, as using biometric data—

I am sorry, but I am wondering whether the Minister is going to say any more on the amendment in the name of the noble Lord, Lord Holmes. Can I be clear? The Minister said that the ICO is the best place to oversee these issues, but the noble Lord’s amendment recognises that; it just says that there should be a dedicated biometrics unit with specialists, et cetera, underneath it. I am looking towards the noble Lord—yes, he is nodding in agreement. I do not know that the Minister dismissed that idea, but I think that this would be a good compromise in terms of assuaging our concerns on this issue.

I apologise if I have misunderstood. It sounds like it would be a unit within the ICO responsible for that matter. Let me take that away if I have misunderstood—I understood it to be a separate organisation altogether.

The Government deem Amendment 238 unnecessary, as using biometric data to categorise or make inferences about people, whether using algorithms or otherwise, is already subject to the general data protection principles and the high data protection standards of the UK’s data protection framework as personal data. In line with ICO guidance, where the processing of biometric data is intended to make an inference linked to one of the special categories of data—for example, race or ethnic origin—or the biometric data is processed for the intention of treating someone differently on the basis of inferred information linked to one of the special categories of data, organisations should treat this as special category data. These protections ensure that this data, which is not used for identification purposes, is sufficiently protected.

Similarly, Amendment 286 intends to widen the scope of the Forensic Information Databases Service—FINDS—strategy board beyond oversight of biometrics databases for the purpose of identification to include “classification” purposes as well. The FINDS strategy board currently provides oversight of the national DNA database and the national fingerprint database. The Bill puts oversight of the fingerprint database on the same statutory footing as that of the DNA database and provides the flexibility to add oversight of new biometric databases, where appropriate, to provide more consistent oversight in future. The delegated power could be used in the medium term to expand the scope of the board to include a national custody image database, but no decisions have yet been taken. Of course, this will be kept under review, and other biometric databases could be added to the board’s remit in future should these be created and should this be appropriate. For the reasons I have set out, I hope that the noble Baroness, Lady Jones of Whitchurch, will therefore agree not to move Amendments 238 and 286.

Responses to the data reform public consultation in 2021 supported the simplification of the complex oversight framework for police use of biometrics and surveillance cameras. Clauses 147 and 148 of the Bill reflect that by abolishing the Biometrics and Surveillance Camera Commissioner’s roles while transferring the commissioner’s casework functions to the Investigatory Powers Commissioner’s Office.

Noble Lords referred to the CRISP report, which was commissioned by Fraser Sampson—the previous commissioner—and directly contradicts the outcome of the public consultation on data reform in 2021, including on the simplification of the oversight of biometrics and surveillance cameras. The Government took account of all the responses, including from the former commissioner, in developing the policies set out in the DPDI Bill.

There will not be a gap in the oversight of surveillance as it will remain within the statutory regulatory remit of other organisations, such as the Information Commissioner’s Office, the Equality and Human Rights Commission, the Forensic Science Regulator and the Forensic Information Databases Service strategy board.

One of the crucial aspects has been the reporting of the Biometrics and Surveillance Camera Commissioner. Where is there going to be and who is going to have a comprehensive report relating to the use of surveillance cameras and the biometric data contained within them? Why have the Government decided that they are going to separate out the oversight of biometrics from, in essence, the surveillance aspects? Are not the two irretrievably brought together by things such as live facial recognition?

Yes. There are indeed a number of different elements of surveillance camera oversight; those are reflected in the range of different bodies doing that it. As to the mechanics of the production of the report, I am afraid that I do not know the answer.

Does the Minister accept that the police are one of the key agencies that will be using surveillance cameras? He now seems to be saying, “No, it’s fine. We don’t have one single oversight body; we had four at the last count”. He probably has more to say on this subject but is that not highly confusing for the police when they have so many different bodies that they need to look at in terms of oversight? Is it any wonder that people think the Bill is watering down the oversight of surveillance camera use?

No. I was saying that there was extensive consultation, including with the police, and that that has resulted in these new arrangements. As to the actual mechanics of the production of an overall report, I am afraid that I do not know but I will find out and advise noble Lords.

His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services also inspects, monitors and reports on the efficiency and effectiveness of the police, including their use of surveillance cameras. All of these bodies have statutory powers to take the necessary action when required. The ICO will continue to regulate all organisations’ use of these technologies, including being able to take action against those not complying with data protection law, and a wide range of other bodies will continue to operate in this space.

On the first point made by the noble Lord, Lord Vaux, where any of the privacy concerns he raises concern information that relates to an identified or identifiable living individual, I can assure him that this information is covered by the UK’s data protection regime. This also includes another issue raised by the noble Lord—where the ANPR captures a number-plate that can be linked to an identifiable living individual—as this would be the processing of personal data and thus governed by the UK’s data protection regime and regulated by the ICO.

For the reasons I have set out, I maintain that these clauses should stand part of the Bill. I therefore hope that the noble Lord, Lord Clement-Jones, will withdraw his stand part notices on Clauses 147 and 148.

Clause 149 does not affect the office of the Biometrics and Surveillance Camera Commissioner, which the noble Lord seeks to maintain through his amendment. The clause’s purpose is to update the name of the national DNA database board and update its scope to include the national fingerprint database within its remit. It will allow the board to produce codes of practice and introduce a new delegated power to add or remove biometric databases from its remit in future via the affirmative procedure. I therefore maintain that this clause should stand part of the Bill and hope that the noble Lord will withdraw his stand part notice.

Clauses 147 and 148 will improve consistency in the guidance and oversight of biometrics and surveillance cameras by simplifying the framework. This follows public consultation, makes the most of the available expertise, improves organisational resilience, and ends confusing and inefficient duplication. The Government feel that a review, as proposed, so quickly after the Bill is enacted is unnecessary. It is for these reasons that I cannot accept Amendment 292 in the name of the noble Lord, Lord Clement-Jones.

I turn now to the amendments tabled by the noble Lord, Lord Clement-Jones, which seek to remove Clauses 130 to 132. These clauses make changes to the Counter-Terrorism Act 2008, which provides the retention regime for biometric data held on national security grounds. The changes have been made only following a formal request from Counter Terrorism Policing to the Home Office. The exploitation of biometric material, including from international partners, is a valuable tool in maintaining the UK’s national security, particularly for ensuring that there is effective tripwire coverage at the UK border. For example, where a foreign national applies for a visa to enter the UK, or enters the UK via a small boat, their biometrics can be checked against Counter Terrorism Policing’s holdings and appropriate action to mitigate risk can be taken, if needed.

The existing retention rules in the Counter-Terrorism Act present several operational challenges for Counter Terrorism Policing in relation to international biometric exchange. These clauses make proportionate changes to mitigate these issues, so that the police are not forced to delete critical data. In the case of Clause 132, which makes changes to the way biometrics from Interpol can be retained, this change was recommended by the Independent Reviewer of Terrorism Legislation, who highlighted the pressing operational need for these biometrics to be exempt from the national security determination regime and an alternative regime to be put in place.

Overall, these clauses will support the police to retain biometric data from international partners, including Interpol, ensuring that biometrics are retained in a proportionate way, while protecting the public from national security-related risks, such as terrorism. Given the positive impact these changes will have on national security—changes which, in part, have the support of the relevant independent reviewers and which are being pursued only following a formal request from policing—I cannot support the noble Lord’s opposition to Clauses 130, 131 and 132 standing part of the Bill, and I hope that he will not press it.

My Lords, to go back to some of the surveillance points, one of the issues is the speed at which technology is changing, with artificial intelligence and all the other things we are seeing. One of the roles of the commissioner has been to keep an eye on how technology is changing and to make recommendations as to what we do about the impacts of that. I cannot hear, in anything the noble Viscount is saying, how that role is replicated in what is being proposed. Can he enlighten me?

Yes, indeed. In many ways, this is advantageous. The Information Commissioner obviously has a focus on data privacy, whereas the various other organisations, particularly BSCC, EHRC and the FINDS Board, have subject-specific areas of expertise on which they will be better placed to horizon-scan and identify new emerging risks from technologies most relevant to their area.

Is the noble Viscount saying that splitting it all up into multiple different places is more effective than having a single dedicated office to consider these things? I must say, I find that very hard to understand.

I do not think we are moving from a simple position. We are moving from a very complex position to a less complex position.

Can the Minister reassure the Committee that, under the Government’s proposals, there will be sufficient reporting to Parliament, every year, from all the various bodies to which he has already referred, so that Parliament can have ample opportunity to review the operation of this legislation as the Bill stands at the moment?

Yes, indeed. The information commission will be accountable to Parliament. It is required to produce transparency and other reports annually. For the other groups, I am afraid that many of them are quite new to me, as this is normally a Home Office area, but I will establish what their accountability is specifically to Parliament, for BSSC and the—

My Lords, I thank all noble Lords who participated in the excellent debate on this set of amendments. I also thank my noble friend the Minister for part of his response; he furiously agreed with at least a substantial part of my amendments, even though he may not have appreciated it at the time. I look forward to some fruitful and positive discussions on some of those elements between Committee and Report.

When a Bill passes into statute, a Minister and the Government may wish for a number of things in terms of how it is seen and described. One thing that I do not imagine is on the list is for it to be said that this statute generates significant gaps—those words were put perfectly by the noble Viscount, Lord Stansgate. That it generates significant gaps is certainly the current position. I hope that we have conversations between Committee and Report to address at least some of those gaps and restate some of the positions that exist, before the Bill passes. That would be positive for individuals, citizens and the whole of the country. For the moment, I beg leave to withdraw my amendment and look forward to those subsequent conversations.

Amendment 197A withdrawn.

Amendments 197B and 197C not moved.

Clauses 104 to 108 agreed.

Amendment 198

Moved by

198: After Clause 108, insert the following new Clause—

“Interpretation of the PEC RegulationsIn regulation 2 of the PEC Regulations (interpretation)—(a) in paragraph (4) omit “, without prejudice to paragraph (3),”, and(b) at the end insert—“(5) References in these regulations to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation, except that Article 3(4) of that Regulation does not apply to the interpretation of a reference to a period in regulation 16A.(6) In paragraph (5), “the Periods of Time Regulation” means Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.””Member's explanatory statement

This amendment provides for the rules of interpretation in Article 3 of Regulation No 1182/71 (rules of interpretation regarding periods of time etc) to apply to the Privacy and Electronic Communications (EC Directive) Regulations 2003, with an exception for regulation 16A. It also removes a superfluous cross-reference.

Amendment 198 agreed.

Committee adjourned at 8.21 pm.