My Lords, I start by thanking the Minister for the opportunity to meet him and officials earlier today.
I welcome the stated purpose of the Bill. In my mind, it must be sensible to unify and consolidate the law in this area, and to update its application to more recent technologies. Bringing the GDPR into UK law is unquestionably desirable. I have been impressed by the GDPR’s elegance and sense of purpose, following, as it does—or claims to do—the European Charter of Fundamental Rights in 88 pages of self-reinforcing statements of principles.
I cannot go on without welcoming the EU Select Committee’s report, so ably spoken to by the noble Lord, Lord Jay, who I see is not in his place. I think it is a pity that the report did not have its own slot. Despite acknowledging that the Bill fleshes out the regulation to make it member-state applicable, like the noble Lord, Lord Stevenson, I worry about a Bill of 218 pages and an explanatory note of 112 pages, plus a departmental pack of 247 pages to deal with it all. That all adds to the complexity. I admit that the GDPR conceals its highly challenging requirements in wording of beguiling simplicity under the flag of private rights, but it is no wonder that the European Parliament did not want its handiwork contextualised by inclusion in what we have before us. It is not a particularly encouraging start to bringing 40 years of EU legislation into domestic law.
In what I felt was an inspirational contribution, the noble Baroness, Lady Lane-Fox—I am sorry she is not in her place—referred to the tortuous use of language in parts of the Bill. I agree with her—parts of it are gobbledygook that deny transparency to ordinary mortals. She referred also to my direct ancestor, Ada Lovelace, some of whose expressions of mathematical principles, even for a non-mathematician such as me, make a good deal more sense than parts of the Bill.
The Bill sets out to replace the 1998 Act with new GDPR provisions, meaning new and enhanced rights of data subjects for access, portability and transparency, and duties on controllers on specific consent—not by default, it should be noted—procedural audit trails, a more clearly defined regulatory and supervisory framework, and potential for substantially increased fines for infractions. There is enough that is new, apart from public expectations and the revised geometry as between data subject and data controller, which will naturally give rise to a fresh view of precedent and practice.
Consistency of the Bill with the GDPR core principles, as well as the fundamental rights upon which it is based, will be our focus at the Bill proceeds. A lot of organisations will need to review the way in which they are authorised, in their logging of the origins and
possible destinations of personal data they hold, as well as the protocols for responding to requests for information from data subjects. I do not doubt that there will be some pitfalls for the unwary. It may no longer be possible to rely on the continuing acceptability and lawfulness of the previous arrangements under which they have operated, nor to second guess with accuracy how regulation and enforcement will unfold henceforward.
So there may be something going well beyond the more benign narrative of updating, modernising and extending the application on its own. There seem to be some particularly uncharted waters here, with the burden of proof as to compliance and adequacy of arrangements being firmly in the lap of the controller on what looks very like a strict liability basis. That alters the geometry of what will be dealt with.
As regards international cross-jurisdictional data— I am thinking of beyond the EU—I wonder how successfully the proposed arrangements will carry forward in the longer term, bearing in mind that the world market contains numerous players who for their own purposes and advantage might not be that keen to match the standards we claim to set for ourselves. Indeed, the construct of ethical data comes to mind, with all the usual caveats previously associated with ethical foreign policy—the noble Lord, Lord Knight, referred to the ethics; I agree with him that there is a strong threat. That would follow a global principle that sits behind GDPR.
The GDPR is hypothecated on the principle of individual compliance of each processor enterprise, so in a data-processing daisy chain across continents the continued tying in to the tenets of the GDPR is an obvious practical problem with some limitations and it should give us cause for reflection, although I have some admiration for the algorithm that the GDPR sets out to create.
I question how the Government view the ongoing processing of more historical personal data, referred to by other noble Lords, when the purpose for collecting it or the basis for any implied or deemed consent either had not been met or should long since have been refreshed or treated as expired. We all know that old data is still sloshing around in the ether, some of them potentially of dubious accuracy, but I merely point to the fact that this is often an ongoing processing operation without beginning or end point or any apparent possibility of amending or deleting records, as mentioned by other noble Lords. The amount of screening needed to ensure accuracy would be vast. I am entirely unclear that this Bill or the GDPR will improve things for those data subjects for whom this sort of thing can be harmful. I am not thinking just of social media. How will legacy data be dealt with, especially as it does not seem to have been entirely successfully corralled by the 1998 Act or by all other member states under the 1995 data protection directive? I see the correction of that as one of the fundamental principles behind the GDPR—it is the trip wire which has been put there deliberately.
I have concerns about some of the “get out” provisions included in the Bill. The first is the “too difficult” excuse; businesses already use this as a blocking measure. How does one get round the argument that it is too
difficult to extract the individual personal data despite knowing that it is the targeted agglomeration of such data, relating to a natural individual, that is the outcome of the processing? The second is that the request is regarded as vexatious. This of course can be concocted by the simple expedient of being evasive towards the first two requests and from the third onwards treating it as repetitive or vexatious—it already happens. I would like reassurance from the Minister that the basic individual rights promised under the GDPR cannot be so circumvented.
The third excuse is “too much data”, referred to by other noble Lords; in other words, there is a lot of personal data held on an individual data subject. Here, there is a provision that the data controller may decline to give information if the precise nature of the data sought is not specified. My impression is that failure of a data subject to specify allows the controller to become unresponsive. If that is the intention, it seems to me to fail the broader test of article 14 of the GDPR, the basic premise of which is that the data subject is entitled to accurate and intelligible information.
It cannot be assumed that the data subject already knows what the scale and nature of the data held actually are or precisely who holds it, although it is clear that the GDPR gives an entitlement to this information. It must follow that, at very least, the controller, in making his “too much data” response, has to identify the general nature, categories and type of data held about that person. I invite the Minister to comment on what is intended. I concur very much with the point so eloquently made by the noble Baroness, Lady Lane-Fox, on the asymmetry of technical knowledge, resource and political clout as between the data subject and the controller, particularly when set against the practical challenge of extracting individual personal data in response to a formal request.
I was reminded of something only yesterday, as a result of a question as to whether a person was or was not at a certain place at a certain time, which was averred by a complainant in a harassment case who used CCTV footage they had created themselves. It was pointed out that the person against whom the complaint was made said they were somewhere else, in a retail premises covered by other CCTV footage. However, it appeared that the retail premises operator would not release the data because it also contained images of other people and there were, accordingly, privacy issues. What is the balance of rights and protections to be in such a case, where somebody faces prosecution?
That leads me to the issue of data collected by public bodies and agencies. I do not think it is generally understood what personal data is shared by police, social services, health bodies and others, some of them mentioned by the noble Lord, Lord Marlesford. Indeed, I am clear that I do not know either, but I believe that many of these agencies hold data in a number of different forms and on a variety of platforms, many of which are bespoke and do not readily talk to other systems. The data are collected for one purpose and used for other purposes, as the noble Lord, Lord Knight, rightly observed. It is on record in debates in this House that some of these bodies do not actually know how many data systems they have, even less what
data—whether usable, personal, relevant or accurate, as the case may be—they actually contain. How does one enforce that situation? Some of these databases may not even be operating with the knowledge of the Information Commissioner. There will be an expectation that that is going to be tightened up.
A considerable measure of latitude is afforded to the processing of personal data in the public interest. I will be very brief on this point. I would not rest easy that we have an adequate separation of genuine public interest from administrative convenience and I looked in vain for clarification as to what public interest would amount to in this context. I have to say that I am even more confused than I was when I started. In the longer term it remains to be seen how the GDPR will work, incorporated into UK law, interpreted and enforced firstly through our domestic courts under the aegis of the EU but subsequently on a twin-track basis, when we will be dealing with it ourselves through the precedents of our own judicial system and the same GDPR will be being looked at in a European context elsewhere.
I want the Bill to work; I want to enable proper business use of data and to empower data subjects, as the GDPR promises, with a minimum of obfuscation, prevarication and deceit. Transparency has not been the hallmark of UK data businesses or government administration in this respect, but without it there is no justice, due process or citizen confidence in the rule of law and it will be corrosive if we do not get this right. However, I do not see any fundamental mismatch between this and best business practice, so I look forward to further debates on the Bill as we proceed.
8.38 pm