My Lords, this has been a lengthy but excellent debate. I very much welcome the broad support from across the House for the Bill’s objectives; namely, that we have a data protection framework that is fit for the digital age, supports the needs of businesses, law enforcement agencies and other public sector bodies, and—as the noble Lord, Lord Kennedy, said—safeguards the rights of individuals in the use of their personal data.
In bringing the Bill before your Lordships’ House at this time, it is fortunate that we have the benefit of two recent and very pertinent reports from the Communications Committee and the European Union Committee. Today’s debate is all the better for the insightful contributions we have heard from a number of members of those committees, namely the noble Lord, Lord Jay, the noble Viscount, Lord Colville, the noble Baroness, Lady Kidron, the right reverend Prelate the Bishop of Chelmsford and my noble friend Lady Neville-Rolfe.
In its report Growing Up with the Internet, the Communications Committee noted with approval the enhanced rights that the GDPR would confer on children, including the right to be forgotten, and asked for those rights to be enshrined in UK law as a minimum standard. I am pleased to say the Bill does just that. The European Union Committee supported the Government’s objective to maintain the unhindered and uninterrupted flow of data with other member states following the UK’s exit from the EU. Understandably, the committee pressed the Government to provide further details of how that outcome will be achieved.
With the provisions in the Bill, the UK starts from an unprecedented point of alignment with the EU in terms of the legal framework underpinning the exchange and protection of personal data. In August, the
Government set out options for the model for protecting and exchanging personal data. That model would allow free flows of data to continue between the EU and the UK and provide for ongoing regulatory co-operation and certainty for businesses, public authorities and individuals. Such an approach is made possible by the strong foundations laid by the provisions in the Bill.
In other contributions to this debate, we have had the benefit of a wide range of experiences, including from noble Lords who are able to draw on distinguished careers in business, education, policing or the Security Service. In doing so, noble Lords raised a number of issues. I will try to respond to as many of those as I can in the time available, but if there are specific points, as I am sure there will be, that I cannot do justice to now, both my noble friend Lord Ashton and I will of course follow up this debate with a letter.
A number of noble Lords, including the noble Lord, Lord Kennedy, the noble Baroness, Lady Lane-Fox, and my noble friend Lady Neville-Rolfe, asked whether the Bill was too complex. It was suggested that data controllers would struggle to understand the obligations placed on them and data subjects to understand and access their rights. As the noble Lord, Lord Paddick, said, the Bill is necessarily so, because it provides a complete data protection framework for all personal data. Most data controllers will need to understand only the scheme for general data, allowing them to focus just on Part 2. As now, the Information Commissioner will continue to provide guidance tailored to data controllers and data subjects to help them understand the obligations placed on them and exercise their rights respectively. Indeed, she has already published a number of relevant guidance documents, including—the noble Lord, Lord Kennedy, will be interested to know this—a guide called Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now. It sounds like my type of publication.
Other noble Lords rightly questioned what they saw as unnecessary costs on businesses. My noble friends Lord Arbuthnot and Lady Neville-Rolfe and the noble Lord, Lord Kennedy, expressed concern that the Bill would impose a new layer of unnecessary regulation on businesses—for example, in requiring them to respond to subject access requests. Businesses are currently required to adhere to the Data Protection Act, which makes similar provision. The step up to the new standards should not be a disproportionate burden. Indeed, embracing good cybersecurity and data protection practices will help businesses to win new customers both in the UK and abroad.
A number of noble Lords, including the noble Lord, Lord Jay, asked how the Government would ensure that businesses and criminal justice agencies could continue, uninterrupted, to share data with other member states following the UK’s exit from the EU. The Government published a “future partnership” paper on data protection in August setting out the UK’s position on how to ensure the continued protection and exchange of personal data between the UK and the EU. That drew on the recommendations of the very helpful and timely report of the European Union Committee, to which the noble Lord referred. For example, as set out in the position paper, the Government
believe that it would be in our shared interest to agree early to recognise each other’s data protection frameworks as the basis for continued flow of data between the EU and the UK from the point of exit until such time as new and more permanent arrangements came into force. While the final arrangements governing data flows are a matter for the negotiations—I regret that I cannot give a fuller update at this time—I hope that the paper goes some way towards assuring noble Lords of the importance that the Government attach to this issue.
The noble Baroness, Lady Kidron, queried the status of Article 8 of the European Charter of Fundamental Rights, which states:
“Everyone has the right to the protection of personal data concerning him or her”.
The Bill will ensure that the UK continues to provide a world-class standard of data protection both before and after we leave the European Union.
Several noble Lords, including the noble Lord, Lord Paddick, in welcoming the Bill asked whether the Information Commissioner would have the resource she needs to help businesses and others prepare for the GDPR and LED and to ensure that the new legislation is properly enforced, especially once compulsory notification has ended. The Government are committed to ensuring that the Information Commissioner is adequately resourced to fulfil both her current functions under the Data Protection Act 1998 and her new ones. Noble Lords will note that the Bill replicates relevant provisions of the Digital Economy Act 2017, which ensures that the Information Commissioner’s functions in relation to data protection continue to be funded through charges on data controllers. An initial proposal on what those changes might look like is currently being consulted upon. The resulting regulations will rightly be subject to parliamentary scrutiny in due course.
Almost every noble Lord spoke in one way or another about protecting children online, particularly the noble Baroness, Lady Kidron, and the right reverend Prelate the Bishop of Chelmsford, who referred to the Select Committee on Communications report Growing Up with the Internet. The focus of that report was on addressing concerns about the risk to children from the internet. The Government believe that Britain should be the safest place in the world to go online and we are determined to make that a reality. I am happy to confirm that the Government will publish an internet safety strategy Green Paper imminently. This will be an important step forward in tackling this crucial issue. Among other things, the Green Paper will set out plans for an online code of practice that we want to see all social media companies sign up to, and a plan to ensure that every child is taught the skills they need to be safe online.
The other point that was brought up widely, including by the noble Lord, Lord Kennedy, was whether it was appropriate for 13 year-olds to be able to hand over their personal data to social media companies without parental consent. We heard alternative perspectives from my noble friend Lord Arbuthnot and the noble Baroness, Lady Lane-Fox. Addressing the same clause, the right reverend Prelate the Bishop of Chelmsford questioned the extent to which the Government had
consulted on this important issue. The noble Baroness, Lady Howe, and the noble Lord, Lord Kennedy, made a similar point. In answer to their specific questions, 170 organisations and numerous individuals responded to the Government’s call for views, published in April, which addressed this issue directly. The Government’s position reflects the responses received. Importantly, it recognises the fundamental role that the internet already plays in the lives of teenagers. While we need to educate children on the risks and to work with internet companies to keep them safe, online platforms and communities provide children and young people with an enormous educational and social resource, as the noble Baroness, Lady Lane-Fox, pointed out. It is not an easy balance to strike, but I am convinced that, in selecting 13, the Government has made the right choice and one fully compatible with the UN Convention on the Rights of the Child, to which the noble Lord, Lord Stevenson, referred.
The noble Baronesses, Lady Jay and Lady Hamwee, stressed the importance of adequate understanding of digital issues, particularly among children. Improving digital skills is a priority of the Government’s digital strategy, published earlier this year. As noble Lords will be aware, the Digital Economy Act created a new statutory entitlement to digitals skills training, which is certainly an important piece of the puzzle. As I have already said, the Government will publish a comprehensive Green Paper on internet safety imminently which will explore further how to develop children’s digital literacy and provide support for parents and carers.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Paddick, I think it was, asked about the Government choosing not to exercise the derogation in article 80 of the GDPR to allow not-for-profit organisations to take action on behalf of data subjects without their consent. This is a very important point. It is important to note that not-for-profit organisations will be able to take action on behalf of data subjects where the individuals concerned have mandated them to do so. This is an important new right for data subjects and should not be underestimated.
The noble Baroness, Lady Manningham-Buller, the noble Lords, Lord Kennedy and Lord Patel, and my noble friend Lady Neville-Jones all expressed concern about the effect that safeguards provided in the Bill might have on certain types of long-term medical research, such as clinical trials and interventional research. My noble friend pointed out that such research can lead to measures or decisions being taken about individuals but it might not be possible to seek their consent in every case. The noble Lord, Lord Patel, raised a number of related issues, including the extent of Clause 7. I assure noble Lords that the Government recognise the importance of these issues. I would be very happy to meet noble Lords and noble Baronesses to discuss them further.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Patel, noted that the Bill is not going to be used to place the National Data Guardian for Health and Social Care on a statutory footing. I assure them that the Government are committed to giving the National Data Guardian statutory force. A Bill to this end was introduced in the House of Commons on
5 September by my honourable friend Peter Bone MP, and the Government look forward to working with him and parliamentary colleagues over the coming months.
My noble friend Lord Arbuthnot and others questioned the breadth of delegated powers provided for in Clause 15, which allows the Secretary of State to use regulations to permit organisations to process personal data in a wider range of circumstances where needed to comply with a legal obligation, to perform a task in the public interest or in the exercise of official authority. Given how quickly technology evolves and the use of data can change, there may be occasions when it is necessary to act relatively quickly to provide organisations with a legal basis for a particular processing operation. The Government believe that the use of regulations, rightly subject to the affirmative procedure, is entirely appropriate to achieve that. But we will of course consider very carefully any recommendations made on this or any other regulation-making power in the Bill by the Delegated Powers and Regulatory Reform Committee, and I look forward to seeing its report in due course.
The noble Viscount, Lord Colville, queried the role of the Information Commissioner in relation to special purposes processing, including in relation to journalism. In keeping with the approach taken in the 1998 Act, the Bill provides for broad exemptions when data is being processed for journalism, where the controller reasonably believes that publication is in the public interest. I reassure noble Lords that the Information Commissioner’s powers, as set out in Clause 164, are tightly focused on compliance with these requirements and not on media conduct more generally. There is a right of appeal to ensure that the commissioner’s determination can be challenged. This is an established process which the Bill simply builds upon.
The noble Lord, Lord Black, questioned the power given to the Information Commissioner to assist a party or prospective party in special purposes proceedings. In this sense, “special purposes” refers to journalistic, literary, artistic or academic purposes. The clause in question, Clause 165, replicates the existing provision in Section 53 of the 1998 Act. It simply reflects the potential public importance of a misuse of the otherwise vital exemptions granted to those processing personal data for special purposes. In practice, I am not aware of the commissioner having provided such assistance but the safeguard is rightly there.
The noble Lord, Lord Janvrin, spoke eloquently about the potential impact of the Bill on museums and archives. The Government agree about the importance of this public function. It is important to note that the Data Protection Act 1998 made no express provision relating to the processing of personal data for archiving purposes. In contrast, the Bill recognises that archives may need to process sensitive personal data, and there is a specific condition to allow for this. The Bill also provides archives with specific exemptions from certain rights of data subjects, such as rights to access and rectify data, where this would prevent them fulfilling their purposes.
The noble Lord, Lord Knight, queried the safeguards in place to prevent the mining of corporate databases for other, perhaps quite distinct, purposes, and the
noble Lord, Lord Mitchell, made a similar point. I can reassure them that any use of personal data must comply with the relevant legal requirements. This would include compliance with the necessary data protection principles, including purpose limitation. These principles will be backed by tough new rules on transparency and consent that will ensure that once personal data is obtained for one purpose it cannot generally be used for other purposes without the data subject’s consent.
My noble friend Lord Marlesford raised the desirability of a central system of unique identifying numbers. The Bill will ensure that personal data is collected only for a specific purpose, that it is processed only where there is a legal basis for so doing and that it is always used proportionately. It is not clear to me that setting out to identify everybody in the same way in every context, with all records held centrally, is compatible with these principles. Rather, this Government believe that identity policy is context-specific, that people should be asked to provide only what is necessary, and that only those with a specific need to access data should be able to do so. The Bill is consistent with that vision.
I look forward to exploring all the issues that we have discussed as we move to the next stage. As the Information Commissioner said in her briefing paper, it is vital that the Bill reaches the statute book, and I look forward to working with noble Lords to achieve
that as expeditiously as possible. Noble Lords will rightly want to probe the detailed provisions in the Bill and subject them to proper scrutiny, as noble Lords always do, but I am pleased that we can approach this task on the basis of a shared vision; namely, that of a world-leading Data Protection Bill that is good for business, good for the law enforcement community and good for the citizen. I commend the Bill to the House.