My Lords, I am grateful to the noble Lord for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.
The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.
Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.
I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.
The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international
enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.
3.30 pm
The noble Lord talked about co-operation with EU member states after the UK has left the EU. As he noted, the Information Commissioner works closely with other EU regulators and is well-regarded among her EU and international counterparts. But of course, the detail, such as representatives, on how the UK and EU systems interact post exit is a matter for negotiations, and the Government are keen for this co-operation to continue and do not see any reason why it should not. We believe that regulatory co-operation between the UK and the EU on a range of issues, including data protection, will be essential, not least because the GDPR will continue to apply to UK businesses, offering goods and services to individuals in the EEA. We want to build a new, deep and special partnership with the EU; that relationship could enable an ongoing role for the Information Commissioner in EU regulatory forums, preserving the existing valuable regulatory co-operation and building a productive partnership to tackle future challenges.
While we are on the subject of the Information Commissioner’s role, I want to comment on a matter that the House authorities have raised with the Bill team. There are some concerns about the potential role of the commissioner in relation to proceedings in Parliament. For example, it may arguably be a breach of the GDPR for a corporate officer of the House to continue to process inaccurate personal data contained in privileged material, such as an Early Day Motion containing names of individuals, which in theory could be enforceable by action taken by the Information Commissioner. Let me put on record that there is no intention that the Information Commissioner be involved in the proceedings of Parliament. Article 6 of the GDPR sets out the function of the commissioner and we have included in the Bill provision to supplement that where we can. While the commissioner must be independent, she also reports to, and respects, Parliament and will not interfere with proceedings or undermine parliamentary privilege.
I hope that provides some reassurance to the House authorities. I also hope that, in the light of my response to the proposed amendments, noble Lords feel able not to press them today. Before I finish, I should mention the intervention of the noble Baroness, Lady O’Neill. I asked her for the paragraph she mentioned; I looked at it, but I am afraid I was not quick enough to catch up with her. If I may, I will read her comments in Hansard and reply by letter.