My Lords, I can be brief, I hope. Amendment 41A builds on a discussion held in Committee. We were trying to articulate, perhaps not very successfully but with some justification, the nature of the relationship between data subjects and data controllers when data is passed across for processing and use by that data controller. At that time my thinking was stimulated by work that we had read and heard about in relation to the idea that a person’s data could be given a personal copyright. That would open up to data subjects who are giving data to data controllers the rights that come with copyright ordinarily, such as a limited time—quite a long time, though—in which they have ownership and therefore are licensing their data for use. That could be subject to remuneration, as is very often the case in the creative industries where copyrights are used; they are used on a licensed basis for which remuneration is returned. If that were the case, one might also question whether copyright should be time-limited. That would put an end to the question of whether data subjects could withhold or retract their information in some sense, or rectify it so that it would not, therefore, be archived or go forward into other activities.
Since that time, a surprisingly large number of people have contacted me about this and offered advice and thoughts—not all of it helpful, I have to say. There seems to be a certain feeling that personal copyright is not the way to go forward on this, although I am still quite attracted to it. However, in that process I got a very interesting set of communications around the idea of data subjects becoming controllers of their own data; in other words, personal data controllers. This is a difficult concept. It seems to suggest that two characteristics are existing in the same time and space. Of course, the force will be with us when we get to this, but I am not sure I quite understand how it would happen. I think the problem has come because of the timeframe in which the GDPR was created. Preliminary debates took place in 2012 to 2014, and the GDPR dates from 2016 and will come in in 2018. We are talking about six to eight years since the original thinking, which is a very long time in cyberspace.
We have found that technology has moved ahead of us and the issue raised by this amendment, if I may be so bold as to suggest it, is that we will have to think quite hard about how individual data is used by data controllers, in the context not just of the Bill, but of the way in which the technology is moving. I fully expect the Minister to say that this is a blue-sky issue that needs to be picked up and looked at. Warm words will be offered and even a smile or two might glance its way across the Chamber to me and I will sit down in a miasma of happiness as a result, but the truth is that we need expertise and advice—this is not an easy concept, even if the force is with us. We will need to think harder about all these issues, including the points we have been talking about in terms of algorithms and automated use, in the context of people’s advancing rights and use of their data. It calls for a data ethics commission. The subject will come up again and I am sure that we will return to it on day three of Report, but in the interim I beg to move.