Part 2 - The Nine Identity Assurance Principles

Part of Data Protection and Digital Information Bill – in the House of Commons am 2:15 pm ar 29 Tachwedd 2023.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Chris Bryant Chris Bryant Shadow Minister (Creative Industries and Digital) 2:15, 29 Tachwedd 2023

As I am feeling generous, I shall start with the nice bits where we agree with the Government. First, we completely agree with the changes to the Information Commissioner’s Office, strengthening the ICO’s enforcement powers, restructuring the ICO and providing a clearer framework of objectives. As the Minister knows, we have always been keen to strengthen the independence of the ICO and we were concerned that the Government were taking new interventionist powers—that is quite a theme in this Bill—in clause 33, so we welcome Government amendment 45, which achieves a much better balance between democratic oversight and ICO independence, so we thank the Minister for that.

Labour also welcomes part 2 of the Bill, as amended in Committee, establishing a digital verification framework. My concern, however, is that the Government have underestimated the sheer technicality of such an endeavour, hence the last-minute requirement for tens of Government amendments to this part of the Bill, which I note the Minister keeps on referring to as being very technical and therefore best to be debated in another place at another time with officials present. Under Government amendment 52, for example, different rules will be established for different digital verification services, and I am not quite sure whether that will stand the test of the House of Lords.

We warmly welcome and support part 3 of the Bill, which has just been referred to by John Penrose and the Minister, and its provisions on smart data. Indeed, we and many industry specialists have been urging the Government to go much faster in this particular area. The potential for introducing smart data schemes is vast, empowering consumers to make financial decisions that better suit them, enabling innovation and delivering better products and services. Most notably, that has already happened in relation to financial services. Many people will not know that that is what they are using when they use a software that is accessing several different bank accounts, but that is what they are doing.

In the autumn statement, the Government pledged to kickstart a smart data big bang. One area where smart data has been most effective is in open finance—it is right that we expand these provisions into new areas to have a greater social impact—but, to quote the Financial Conduct Authority, it should be implemented there

“in a proportionate phased manner, ideally driven by consideration of credible consumer propositions and use-cases.”

Furthermore, the FCA does not think that a big bang approach to open finance is feasible or desirable. Nevertheless, many of the Government amendments to the suite of smart data provisions are technical, and indicate a move in the right direction. In particular, we hope that, with smart data enabling greater access by consumers to information about green options and net zero, we will be able to help the whole of the UK to move towards net zero.

I want to say a few words on part 4, on cookies and nuisance calls. We share a lot of the Government’s intentions on tackling those issues and the births and deaths register. As a former registrar, I would like to see tombstoning—the process of fraudulently adopting for oneself the name of a child who has died—brought to an end. That practice is enabled partly because the deaths register does not actually register the death of an individual named on the births register, which I hope will at some point be possible.

Despite the Government’s having sat on the Bill for almost 18 months, with extensive consultations, drafts, amendments and carry-over motions, there are still big practical holes in these measures that need to be addressed. Labour supports the Government’s ambitions to tackle nuisance calls, which are a blight on people’s lives—we all know that. However, I fear that clause 89, which establishes a duty to notify the ICO of unlawful direct marketing, will make little or no difference without the addition of Labour amendments 7 and 8, which would implement those obligations on electronic communications companies when the guidance from the ICO on their practical application has been clearly established. As the Bill stands, that is little more than wishful thinking.

Unfortunately, the story is the same on tackling cookies. We have a bunch of half-baked measures that simply do not deliver as the public will expect them to and the Government would like them to. We all support reducing cookie fatigue; I am sure that every hon. Member happily clicks “Accept all” whenever cookies comes up—[Interruption.] Well, some Members are much more assiduous than I am in that regard. But the wise Members of the House know perfectly well that the problem is that it undermines the whole purpose of cookies. We all support tackling it because clicking a new cookie banner every time we load a web page is a waste of everybody’s time and is deeply annoying.

However, the Government’s proposed regulation 6B gives the Secretary of State a blank cheque to make provisions as they see fit, without proper parliamentary scrutiny. That is why we are unhappy with it and have tabled amendment 6, which would remove those powers from the Bill as they are simply not ready to enter the statute book. Yet again I make the point that the Bill repeatedly and regularly gives new powers to the Secretary of State. Sure, they would be implemented by secondary legislation—but as we all know, secondary legislation is unamendable and therefore subject to much less scrutiny. These are areas in which the state is taking significant powers over the public and private individuals.

Let me deal with some of the Labour party’s amendments. First, I take subject access requests. The Government have repeatedly been in the wrong place on those, I am afraid, ever since the introduction of the first iteration of the DPDI Bill under Nadine Dorries, when they tried to charge people for access to their own data. Fortunately, that has now gone the way of Nadine Dorries. [Interruption.] I note that the Minister smiled at that point. We still have concerns about the Government’s plans to change the thresholds for refusing subject access requests from “manifestly unfounded or excessive” to “vexatious or excessive”. The Equality and Human Rights Commission, Reset, the TUC and Which? have all outlined their opposition to the change, which threatens to hollow out what the Government themselves admit is a “critical transparency mechanism”.

We have tabled two simple amendments. Amendment 2 would establish an obligation on any data controller refusing a subject access request to provide evidence of why a request has been considered vexatious or excessive. Organisations should not be allowed to just declare that a request is vexatious or excessive and so ascribe a motive to the data subject in order to refuse to provide their data, perhaps simply because of the inconvenience to the organisation.

The Government will try to tell me that safeguards are in place and that the data subject can make appropriate complaints to the organisation and the ICO if they believe that their request has been wrongly refused. But if we take the provisions set out in clause 9 to extend the time limits on subject access requests, add the advantage for companies of dither and delay when considering procedural complaints, and then add the additional burden on a data subject of having to seek out the ICO and produce evidence and an explanation of their request as well as the alleged misapplication of the vexatious or excessive standard, we see that people could easily be waiting years and years before having the right to access their own data. I cannot believe that, in the end, that is in the interests of good government or that it is really what the Government want.

Despite public opposition to the measures, the Government are also now going further by introducing at this stage amendments that further water down subject access request protections. Government new clauses 7 and 9, which the Minister did not refer to—in fact, he only mentioned, I think, a bare tenth of the amendments he wants us to agree this afternoon—limit a data subject’s entitlement to their own data to the controller’s ability to conduct a “reasonable and proportionate” search. But what is reasonable and proportionate? Who determines what has been a reasonable and proportionate search? The new clauses drive a coach and horses through the rights of people to access their own data and to know who is doing what with their information. That is why Labour does not support the changes.

I come to one of the most important issues for us: high-risk processing, which, as the term suggests, is of most concern when it comes to the rights of individuals. I was pleased but perplexed to see that the Government tabled amendments to new clause 30 that added further clarity about the changed provisions to record keeping for the purposes of high-risk processing. I was pleased because it is right that safeguards should be in place when data processing is deemed to be of high risk, but I was perplexed because the Government do not define high-risk processing in the Bill—in fact, they have removed the existing standard for high-risk processing from existing GDPR, thereby leaving a legislative lacuna for the ICO to fill in. That should not be up to the ICO. I know that the ICO himself thinks that it should not be up to him, but a matter for primary legislation.

Our amendment 1 retains a statutory definition of high-risk processing as recommended by the ICO in his response to the Bill, published in May. He said:

“the detail in Article 35 (3) was a helpful and clear legislative backstop.”

That is why he supports what we are suggesting. Our amendment 4 would also clarify those individual rights even further, by again providing the necessary definition of what constitutes high risk, within the new provisions concerning the responsibilities of senior responsible individuals for data processing set out in clause 15.

I turn to automated decision making, which has the potential to deliver increasingly personalised and efficient services, to increase productivity, and to reduce administrative hurdles. While most of the world is making it harder to make decisions exclusively using ADM, clause 12 in the Bill extends the potential for automated decision making in the UK. Yet countless research projects have shown that automated decision making and machine decision making are not as impartial or blind as they sound. Algorithms can harbour and enhance inbuilt prejudices and injustices. Of course we cannot bury our heads in the sand and pretend that the technology will not be implemented or that we can legislate it out of use; we should be smart about ADM and try to unlock its potential while mitigating its potential dangers. Where people’s livelihoods are at risk or where decisions are going to have a significant impact, it is essential that extra protections are in place allowing individuals to contest decisions and secure human review as a fundamental backstop.

Our amendment 5 strikes a better balance by extending the safeguarding provisions to include significant decisions that are based both partly and solely on automated processing; I am very hopeful that the Government will accept our amendment. That means greater safeguards for anybody subject to an automated decision-making process, however that decision is made. It cannot just be a matter of “the computer says no.”

I think the Minister is slightly surprised that we are concerned about democratic engagement, but I will explain. The Bill introduces several changes to electoral practices under the guise of what the Government call “democratic engagement”, most notably through clauses 86 and 87. The former means that any political party or elected representative could engage in direct marketing relying on a soft opt-in procedure, while clause 87 allows the Secretary of State to make any future exemptions and changes to direct marketing rules for the very unspecified purposes of “democratic engagement”.

The Ada Lovelace Institute and the Internet Advertising Bureau have raised concerns about that, and in Committee Labour asked the Minister what the Government had in mind. He rather gave the game away when he wrote to my hon. Friend Stephanie Peacock, to whom I pay tribute for the way she took the Bill through the Committee:

“A future government may want to encourage democratic engagement in the run up to an election by temporarily ‘switching off’ some of the direct marketing rules.”

Switching off the rules ahead of an election—does anyone else smell a rat?

The Government ask us to trust them, but when they change the rules on voting, refuse automatic registration of voters and dramatically increase the amount that they can spend on a general election, all to benefit their own party interest, forgive me if I worry that they are trying to slip yet another change through just before an election that will enable the Tories to mine people’s information for votes. That is why I am doubly suspicious of clauses 86 and 87. The first seems to make legal a practice that I suspect several Conservative MPs are already engaged in: using data acquired as an MP for the wholly different purpose of seeking re-election as a candidate. The second is a major power grab by the Secretary of State, enabling them to change the direct marketing rules for elections with the bare minimum of scrutiny.

Clause 86 should be rewritten to remove the soft opt-in in provisions for political parties and elected representatives, and clause 87 should be scrapped. The changes were not supported by the majority of respondents to the Government’s initial consultation, who wanted the Privacy and Electronic Communications (EC Directive) Regulations 2003 rules to be upheld, and they will not be supported by Labour today. In addressing Government amendment 256, the Minister offered a supposed explanation of what “democratic engagement” means, but it was basically literally anything that anybody could do in a political party or as an elected representative. I do not think that he clarified it; if anything, he just extended it.

I will refer briefly to amendment 45, tabled by Robin Millar, who was in his place a moment ago—[Interruption.] Ah, he has moved. Of course interoperability of data in the health service between all the different parts of the United Kingdom is devoutly to be wished for. In fact, it would be quite nice if GP surgeries were able to have full interoperability between one another. I was told the other day that we have 3.1 million residents in Wales, but something like 9 million patient records, which suggests that something is not quite right. There is a similar number, I think, for England, Wales and Northern Ireland, so of course we need to get to a place of greater interoperability.

I am nervous about the amendment, simply because the Welsh Government have not been consulted. I do not know about the Scottish Government or others. I do not want to stir the devolution pot in a way that is unhelpful, so we will abstain on the amendment. The hon. Member is looking pregnant with something; I do not know whether he intends to intervene.