My Lords, in moving Amendment 7 I shall speak also to Amendments 152 and 169, which have been grouped together. They all stand in my name and that of my noble friend Lord Arbuthnot of Edrom, who spoke so eloquently at Second Reading.
Amendment 7 explores an exemption for small organisations in the business and charity sectors and for parish councils, all of whom have expressed concerns to me about the burdens of the Bill. At Second Reading, I, like others, supported the Bill because it brings us up to date for the digital age, encourages good data practice to minimise scams and cyberattacks, and prevents abuse. It gets us up to the standards we need to get a good deal on data protection in the Brexit talks, and it provides citizens with easier access to their data. However, as presently drafted, I fear it imposes disproportionate burdens, especially on small businesses, charities and other small organisations. Luckily we have my noble friend Lord Ashton to guide us through this part of the Bill, and I congratulate him on his response to the first group of amendments today.
I come to this matter because sometimes I feel like a voice in the wilderness, fighting over-regulation and complexity. Our recent record on productivity is bad, partly because of poorly constructed and complex regulation and, in some cases, overbearing regulators. I would add that the fashion for intervention on all sides of the House could actually make things worse.
Instead of questioning regulation as we used to do, the Government are now seeking to match every EU rule as part of the Brexit project. Detailed consideration of how to ameliorate the impact on small businesses and charities, for example, seems to have gone out of the window and conversations on how to improve things once Brexit has given us greater freedom are regrettably not encouraged. In short, economics gets less attention in this House
than it ought to. Those of us who have worked in business and the charitable sector know that well-meaning measures can adversely affect business by reducing competitiveness and growth, and indeed the tax take we need to build schools and pay for welfare. We are regulating more and not thinking about how we can do less. I was struck by what the noble Lord, Lord McNally, said earlier about the good but light touch that he sought in Brussels when he was dealing with data protection legislation.
Research by the Federation of Small Businesses shows that data protection regulation is one of the most salient regulations for 59% of small businesses. The federation provided me with some estimates which suggest that small businesses in the ICT sector alone, representing 6% of the business sector according to the ONS, will spend £700 million in man hours on implementing the new requirements—and that is not allowing for the cost of materials and ongoing compliance. Nor does it allow for the opportunity cost, another economic concept that is widely ignored in government. What we sorely need is a proper impact assessment, not the one provided so far, which does not address the cost to business and, oddly, suggests that there is no need to consult the Regulatory Policy Committee. If it is not needed for this sort of burden, I am not sure what it is needed for.
This House rightly always supports proper costing, as I know from some of the Bills I have been involved in. Before the Committee stage ends, we need to know the updated cost impact for business of what is coming in: first, under the GDPR, which will take direct effect and, as I understand it, continue after Brexit under the terms of the withdrawal Bill; and secondly, under what is planned in this Bill through the regulations to be made using its powers. I hope the Minister can help us with that.
It is against this background that Amendment 7 proposes an exemption from the Bill’s provisions—not, of course, from the GDPR, which has direct effect. Inevitably, the amendment is exploratory in nature. However, I trust that it will give the Minister, DCMS and the Information Commissioner the opportunity to think carefully about what we might do to reduce the burden on small businesses, charities and parish councils, which the National Association of Local Councils says are very concerned about the panoply of new rules. I cannot believe that we would see these in Greece.
The argument I have heard from the Government is that the changes are good for these organisations because they are under-compliant at present: they would deter the cyberattacks and data leaks that can harm them. I accept that responsible bodies know that good data practices are business critical, but what they do not need is the full panoply of controls, fees and penalties being introduced by this Bill. There is a risk of fines for breaches of up €20 million or 4% of worldwide turnover. My fear is that the controls are so burdensome, open-ended and threatening that at the margin, businesses will either give up or be deterred from operating overseas—at a time when we need them to export more. We need to find a way of
bringing in de minimis rules and reducing the powers of the commissioner to what is reasonable. Another look at the compensation provisions with an eye to small operators could also be useful. I note that the Delegated Powers and Regulatory Reform Committee shares some of my concerns about the powers being given to the commissioner, as well as the extraordinarily wide powers being delegated to Ministers, which we will discuss later.
One practical countermeasure would be to introduce a greater emphasis in the Bill on the economic and other consequences of the commissioner’s work and to make this transparent, so that it can be considered properly by all those affected and publicly debated before she takes measures in relation to the protection of individuals’ rights and the processing of personal data.
That is the purpose of Amendment 152, which adds a third duty after subsection (1)(b). Perhaps I may give an example of why this is of practical importance. I spoke to representatives from CACI, a leading firm in mapping and data analytics, which is the sort of business we want to encourage if we are to be world-leading here in the UK. They are concerned about the technical aspects of ICO draft statutory guidance on consent. The fear is that the ICO may be adopting a needlessly restrictive interpretation of the GDPR which will benefit the large social media multinationals at the expense of British operators in retail and marketing, as well as charities. This would threaten the way that they and others run their businesses. I urge Ministers to meet representatives of the business community most at risk, not just the trade associations, as soon as possible and before the ICO finalises its vital guidance.
I believe strongly that regulators with powers as wide as those of the Information Commissioner need to engage properly on the content of draft regulations and draft guidance, which is often equally important. They must be required and of course resourced to do so; otherwise—going back to my first point—the burdens and risks will be disproportionate.
6.15 pm
Finally, Amendment 169 would introduce a new clause after Clause 153 to give the Secretary of State a role in ensuring top-quality, comprehensive information on the changes for business. Small businesses operate under a number of constraints tied to their size, such as limited in-house expertise, owners’ limited time, a limited asset base—and, of course, knowing where to go for help. When the FSB survey asked small businesses what aspects of regulation created the biggest barriers in general, 15% cited lack of guidance. On data protection in particular, that figure rose to 35%. Even worse, when asked about data protection, 58% said that regulation was too broad and it was difficult to know how to comply, with 51% citing inconsistent or complex language.
That is the background to my proposal in Amendment 153 to require clear information at least six months before the rules come in and suitable online material, and for a report to be brought before
Parliament on how this is being achieved before the provisions of the new Act come into force. Our amendment requires online information on both the new Act and on the GDPR in a simple and easily accessible form, along with the use of free online training and testing. I know from direct experience that this can be invaluable in helping businesses to actually comply.
Indeed, it can also be invaluable to charities. Proper, clear information and guidance is vital to them and their data controllers. They face the same uncertainties, costs, and commercial and reputational risk from prosecution. I therefore also support Amendment 170, which would add charities, and I am delighted that it comes from the noble Lord, Lord Clement-Jones, with whom I have had such productive dealings on intellectual property. I beg to move.