Having worked hard since the very first version of this bill (which was introduced into the Commons two years ago) to demonstrate its fundamental flaws, I and many other members of the Lords, and campaigning organisations, were delighted that the government failed to get it pushed through on so-called wash up when the General Election was called in May.
This is great news for citizens and for businesses too which would have faced the complications and expense of different compliance regimes in the EU and UK.
This is an edited version of what I said on Second Reading back in December 2023.
The Minister will have heard the concerns expressed throughout the House—not a single speaker failed to express concerns about the contents of the Bill. The retention and enhancement of public trust in data use and sharing is of key importance, but so much of the Bill seems almost entirely motivated by the Government’s desire to be divergent from the EU to get some kind of Brexit dividend.
As we have heard from all around the House, the Bill dilutes where it should strengthen the rights of data subjects. We can then all agree on the benefits of data sharing without the risks involved. The Equality and Human Rights Commission is clearly of that view, alongside numerous others, such as the Ada Lovelace Institute and as many as 26 privacy advocacy groups. Even on the Government’s own estimates, the Bill will have a minimal positive impact on compliance costs—in fact, it will simply lead to companies doing business in Europe having to comply with two sets of regulations.
I will be specific. I will go through a number of areas where I believe those rights are being diluted. The amended and more subjective definition of “personal data” will narrow the scope of what is considered personal data. Schedule 1 sets out a new annexe to the GDPR, with the types of processing activities that the Government have determined have a recognised legitimate interest and will not require a legitimate interest human rights balancing test to be carried out. Future Secretaries of State can amend or add to this list of recognised legitimate interests through secondary legislation. As a result it will become easier for political parties to target children as young as 14 during election campaigns, even though they cannot vote until they are 16 or 18, depending on the jurisdiction.
The Bill will change the threshold for refusing a subject access request, which will widen the grounds on which an organisation could refuse requests. There are existing difficulties of making those subject access requests. Clause 12, added on Report in the Commons, further tips power away from the individual’s ability to access data.
There are also changes to the automated decision-making provisions under Article 22 of the GDPR. The Bill replaces Article 22 with articles that reduce human review of automated decision-making. Article 22 should in fact be strengthened so that it applies to partly automated processing as well, and it should give rights to people affected by an automated decision, not just those who provide data. This should be the case especially in the workplace. A decision about you may be determined by data about other people whom you may never have met.
The Bill amends the circumstances in which personal datasets can be reused for research purposes. New clarifying guidance would have been sufficient, but for-profit commercial research is now included. As we discussed in debates on the then Online Safety Bill, the Bill does nothing where it really matters: on public interest researcher access.
The Bill moves away from UK GDPR requirements for mandatory data protection officers, and it also removes the requirement for data protection impact assessments. All this simply sets up a potential dual compliance system with less assurance—with what benefit? Under the new Bill, a controller or processor will be exempt from the duty to keep records, unless they are carrying out high-risk processing activities. But how effective will this be? One of the main ways of demonstrating compliance with GDPR is to have a record of processing activities.
There are also changes to the Information Commissioner’s role. We are all concerned about whether the creation of a new board will enable the ICO to maintain its current level of independence for data adequacy purposes. This is so important, as the noble Baroness, Lady Young, and my noble friend Lord McNally pointed out.
As regards intragroup transfers, there is concern from the National Aids Trust that Clause 5, permitting the intragroup transmission of personal health data
“where that is necessary for … administrative purposes”,
could mean that HIV/AIDS status is inadequately protected in workplace settings.
Schedule 5 to the Bill amends Chapter 5 of the UK GDPR to reform the UK’s regime for international transfers, with potential adverse consequences for business. There are the dangers of adopting too low standards internationally. This clearly has the potential to provide less protection for data subjects than the current test.
In Clause 17, the Bill removes a key enabler of collective interests, consultation with those affected by data and processing during the data protection risk assessment process, and it fails to provide alternative opportunities. Then there is the removal of the legal obligation to appoint a representative. This risks data breaches not being reported, takes away a channel of communication used by the ICO to facilitate its investigations, and increases the frustration of UK businesses in dealing with overseas companies that come to the UK market underprepared to comply with the UK GDPR.
Given that catalogue, it is hardly surprising that so many noble Lords have raised the issue of data adequacy. If I read out the list of all the noble Lords who have mentioned it, I would probably mention almost every single speaker in this debate. It is clear that the Bill significantly lowers data protection standards in the UK, as compared with the EU. On these Benches, our view is that this will undermine the basis of the UK’s EU data adequacy. The essential equivalence between the UK and the EU regimes has been critical to business continuity following Brexit. The Government’s own impact assessment acknowledges that, as the UK diverges from the EU GDPR, the risk of the EU revoking its adequacy decisions will increase. So I very much hope that the Minister, in response to all the questions he has been asked about data adequacy, has some pretty good answers, because there is certainly a considerable degree of concern around the House about the future of data adequacy.
In addition, there are aspects of the Bill that are just plain wrong. The Government need to deliver in full on their commitments to bereaved families made during the passage of what became the Online Safety Act, regarding access to their children’s data, in insisting that this is extended to all deaths of children. I very much hope that the Minister will harden up on his assurances at the end of the debate.
Noble Lords, questioned the abolition of the Surveillance Camera Commissioner, and the diminution of the duties relating to biometric data. Society is witnessing an unprecedented acceleration in the capability and reach of surveillance technologies, particularly live facial recognition, and we need the commissioner and Surveillance Camera Code of Practice in place. As the Ada Lovelace Institute says in its report Countermeasures, we need new and more comprehensive legislation on the use of biometrics, and the Equality and Human Rights Commission agrees with that too.
As regards the unrestrained financial powers, inserted at Commons Report stage, Sir Stephen Timms MP, chair of the DWP Select Committee, very rightly expressed strong concerns about this. These powers are entirely disproportionate and we will be strongly opposing them.
Then we have the new national security certificates and designation notices. These would give the Home Secretary great and unaccountable powers to authorise the police to violate our privacy rights, through the use of national security certificates and designation notices, without challenge. The Government have failed to explain why they believe these clauses are necessary to safeguard national security.
There is a whole series of missed opportunities during the course of the Bill. The Bill was an opportunity to create ethical, transparent and safe standards for AI systems. A number of noble Lords all said that this is a wasted opportunity to create measures adequate to an era of ubiquitous use of data through AI systems. The noble Baroness, Lady Kidron, in particular talked about this in relation to children, generative AI and educational technology. It is so important in the public sector as well.
The EU has just agreed in principle to a new AI Act. We are miles behind the curve. Then, of course, we have the new identification verification framework. The UK has chosen not to allow private sector digital ID systems to be used for access to public servives. Perhaps the Government could explain why that is the case.
There are a number of other areas, such as new models of personal data control, which were advocated as long ago as 2017, with the Hall-Pesenti review- data instritutions, comunities and truits. Why are the Government not being more imaginative in that sense? There is also the avoidance of creating a new offence of identity theft. That seems to be a great missed opportunity in this Bill.
There is the question of holding AI system providers to be legally accountable for the generation of child sexual abuse material online by using their datasets. . Why are the Government not taking the opportunity to correct the the case of ICO v Experian ?
In the face of the need to do more to protect citizens’ rights, this Bill is a dangerous distraction. It waters down rights, it is a huge risk to data adequacy, it is wrong in many areas and it is a great missed opportunity in many others. We on these Benches will oppose a Bill which appears to have very few friends around the House. We want to amend a great many of the provisions of the Bill and we want to scrutinise many other aspects of it where the amendments came through at a very late stage. I am afraid the Government should expect this Bill to have a pretty rough passage.
