My Lords, I agree with just about everything that the noble Lord, Lord Clement-Jones, said, particularly on the comments—they have been passed to me as well—from the Local Government Association, which seems to have been badly hit by the changes. He will remember, although I think this predates the Minister, that we went through some of the thinking behind the charges in what is now the Digital Economy Act. He will recall the debate and discussion at that time; it is good to see it coming through now in a form that we can look at.
I will not repeat some of the issues that have been raised because I come at this with a slightly different argument, although we arrive at roughly the same place. First, noble Lords could not have gone through the Data Protection Bill without recognising, as the Minister did, the huge amount of extra work and responsibility that will lie with the ICO after it went through. It is an astonishing step change. Yes, it is true that that is reflected in the additional resources, which will be calculated to flow from these changes and increases in the fee structure, but two questions arise. We are relying for the arithmetic on work that was done, as I understand it, by working through the new charge structure; the department has modelled the anticipated income generated to try to come up with something. Two things occur to me from that.
First, what happens if the calculations are wrong? As we speak, we are living through a situation in which a huge additional workload has suddenly landed on the ICO’s desk. Cambridge Analytica was not a household name before this week’s revelations but if the matter goes to court to get submissions, the ICO will have to prosecute and defend itself. I cannot quite see where that was built into things. I am not looking for a specific response but I want to sharpen the question. It is all very well being on a cost-recovery basis when the funds exceeds the expenses, but what happens when they do not? Who will carry the cost? Can the Minister comment on that? Secondly, would it be possible to get a bit more detail about how this plays out in real terms, given the reserves that are allowed to be carried forward and the implication for what work would have to be cut if it is not possible to carry forward deficits from year to year? We are talking about government accounting so, presumably, the NAO will be watching very carefully. I worry a bit about what will happen in the short term. I do not want a detailed response now but I would be happy to get a letter on that.
My second point is about the assertion made that somehow the structure we have here is a way of responding to what was described in paragraph 7.2 of the Explanatory Memorandum as building,
“regulatory risk into the charge level”.
I do not understand what risk is being assessed here. Again, this may need a more considered response. Is it the numbers? It is clear that there will be a lot more tier 1 organisations and therefore a lot of detailed administration and housekeeping, but does that equate to risk? I think not. I therefore wonder why the charge, relatively speaking, is being kept at roughly what it was before—it is still £40—and has been extended.
I do not think that the noble Lord, Lord Clement-Jones, made this point today but I am sure that he raised it in discussion in Committee and on Report. We are talking about a situation where it did not matter whether you registered with the system under the Data Protection Act 1998, despite the fact that the noble Lord did not get his amendment through on having a statutory register for these things. I am sorry about that. There will effectively be a register for all those who use data, which will be policed to some extent. Therefore, the chances are that anyone who was not paying before will certainly be caught now. There is a huge additional element here that has not been previously caught or considered. I am intrigued by that. Therefore, the comment made about not wanting micro-organisations to pay for their activities further up the scale struck me as a little odd. Perhaps we might come back to that.
Tier 2 includes the mid-range of the organisations. A lot of companies are in this area; in fact, the bulk of activity in the industry. Yes, they should pay for services received but I would hazard that they are extremely low-risk. I cannot believe that major breaches of personal data are happening in a large number of small and medium-sized enterprises. That bears comparison with the new third tier that has been introduced to look at large organisations; we are talking about Facebook and other organisations which I do not need to name. We are asking them only to pay a modest proportion more than small and medium-sized organisations. I do not know how that equates to risk. It seems that the evidence of this week is that 50 million Facebook accounts could have been picked up and used in some alleged way of trying to influence elections. We are talking about damage on a substantial scale, which is not the same, in any sense, as that which might occur to citizens—the local joiner, plumber or building firm mislaying their accounting records for a short period. However, I am prepared to listen to the arguments on that.
7.15 pm
Add to that the fact that public authorities, which have not previously been involved to this extent, as mentioned by the noble Lord, Lord Clement-Jones, and, presumably, government are also paying. Where was the risk relationship in that? It seems that the public sensitivity on comes from the Government, government agencies or public authorities more generally having a place in people’s thinking that is disproportionate to the possibility of the damage that might be caused by a breach. In other words, there will in some senses
be more concern about the loss of privacy in terms of health or other issues than there perhaps would be about the loss, as we have seen in some cases, of phone records and credit card details from a telephone company. Again, what is the risk profile here? Perhaps we need a bit more on this.
The proof of what I am saying was made pretty evident by the examples the Minister gave; even she must have had a slight smile on her lips when she was doing that. To compare this with the contribution that you pay for a Netflix subscription verges on the ridiculous. We are talking about very serious, damaging issues: cybercrimes are on the increase, people put themselves in danger by releasing data uncontrolled on to the internet—and children are affected. These are all things that were talked about in the debates on the Data Protection Bill. These come to force in the way in which the Government set up their charging system, and we have not got this right. I do not want to hold up this statutory instrument, even though I object to the fact that it is not coming out on a common commencement date. However, I understand the reason for that, because these things come into force on 25 May irrespective of what we do. However, I hope that the reviews of the statutory instrument will have a chance to look at some of these things in more detail than perhaps we were able to during the passage of the Digital Economy Act and the Data Protection Bill. Now that we see them, they do not measure up to the aspirations we had for them, and more thought should be given to them.
Finally, I acknowledge that I have benefited from the comment made by the Minister when she introduced the clarification to the wording of the existing exemption relating to processing for personal and household purposes to make clear that homeowners such as me, who use CCTV, are no longer required to pay a charge. I have been paying a charge since 2005 and I am delighted to see that I will be relieved from that going forward; had I not been here today, I would not have known that. I will also benefit from the fact that elected representatives, including Members of the House of Lords, may not have to register in future.