My Lords, under Clause 59, the controller must record certain information, including, according to subsection (2)(g),
“where applicable, details of the use of profiling”.
The purpose of Amendment 137B is to ask whether, if profiling is used, this is not applicable. My amendment would delete the words, but the Minister will understand that I am probing.
I am afraid this is quite a big group of amendments. Clause 62 provides for data protection impact assessments when there is a “high risk” to “rights and freedoms”. In assessing the risk, the controller,
“must take into account the nature, scope, context and purposes of the processing”.
Amendment 137C would insert a reference to,
“new technologies, mechanisms and procedures”,
picking up wording which is in articles 27 and 28 of the law enforcement directive.
Clause 63 requires consultation with the commissioner where there is a “high risk” to “rights and freedoms”. Article 28(3) of the directive allows for the “supervisory authority”—the commissioner, in our case—to,
“establish a list of the processing operations which are to be subject to prior consultation”.
Amendment 137D would allow the commissioner to “specify other conditions” where consultation is required. I am not sure I would defend the approach of having regulations under a negative resolution. The amendment was tabled following a certain amount of toing and froing—aka consultation with me—because my original amendment did not quite work, or at any rate I was not clear enough about it. I was not at Westminster at the time and I think I did not take in properly over the phone what was being proposed. I am sure the Minister will not take me too much to task for that, but focus instead on the nub of this.
Under Clause 63, the commissioner is required to give advice to the controller and the processor when she thinks that the intended processing would infringe Part 3. Amendment 137E set outs what advice would be included “to mitigate the risk” and would be a
reminder of the commissioner’s powers in the event of non-compliance. The amendment builds on rather fuller provisions in article 28 of the directive, which provides for the use of powers.
Amendment 137F would amend Clause 64, which deals with the security of processing and refers to,
“appropriate measures … to ensure a level of security appropriate to the risks”.
The amendment proposes what “appropriate measures” might be, in particular whether cost is a criterion. Article 29(1) seems to envisage this—are we envisaging it in the Bill?
As for Amendment 137G, there is a duty in Clause 66 to inform the data subject when there is a breach, but not when the controller has implemented protection measures. In seeking to change “has” to “had” implemented, I just seek confirmation that the measures in question were applied before the breach. One might read the clause as meaning that, subsequently, steps had been taken and protection measures implemented. That will be good for the future, but would not address the specific breach.
On Amendment 137H, Clause 66(7) gives a wide exemption, setting out the reasons for restricting the provision of information to a data subject. I assume from the words “so long as necessary” that, once a specific security threat has passed or a court case is over, the right to that information would revive. Can the Minister confirm this? Again, I am not sure what the role of the commissioner would be here.
On Amendment 137J, Clause 69 sets out the tasks of the data protection officer. Chapter 5 of this part deals with transfers to third countries. By requiring the updating of controllers on the development of standards of third countries, my amendment suggests that the data protection officer should keep on top of international issues.
Amendment 137K is an amendment to Clause 71 in Chapter 5, on the principles for the transfer of data to a third country or international organisation. It would insert an explicit requirement that the rights of the data subject be protected. Article 44 provides:
“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
That is broad and overarching. My amendment probes how that protection is covered: is it in the detail of the subsequent clauses? It is spelled out in the article; does that imply that the clauses might not always properly provide protection if we do not spell it out in the same way, given the reflections that the Bill provides?
On Amendments 137L and 137M, authorisation under Clause 71(1)(b) from another member state from which the data originated is not required if the transfer is necessary for the prevention of a threat to the essential interests of a member state and authorisation cannot be obtained in good time. The amendments probe whether “essential interests” are more than law enforcement purposes—the first condition for transfer. Will the interests be clear? Is there a confusing element of subjectivity here? The person who wants the data might see things quite differently from the person who is being asked to transfer it. It is open to us to provide higher safeguards, which is what I am working towards.
“Obtaining in good time” perhaps suggests a slightly more relaxed attitude than the subject matter should demand. I would substitute a reference to urgency.
On Amendment 137N—noble Lords will be relieved to know that I am on the last of our amendments in this group—there can be a transfer on the basis of special circumstances under Clause 74. I welcome the fact that, in some cases, the controller can refuse a transfer because fundamental rights and freedoms override the public interest in the transfer. Presumably, the controller’s determination must be reasonable. This seems to give some discretion to the commissioner; I wonder whether the commissioner might give guidance rather than leaving it entirely up to the controller. I beg to move.