My Lords, we move to a group that looks at data protection issues, which were covered at Second Reading. In this group, I have Amendment 21, the Clause 42 stand part notice and Amendments 35 and 36. I have found the Information Commissioner’s Office response to the joint consultation from the Law Commission and the Scottish Law Commission on automated vehicles, dated March 2021, extremely helpful. That response set out the legislative landscape and said, in paragraph 6:
“The consultation refers to Directive 2002/58/EC, known as the ePrivacy directive (‘ePD’), however, reference should be given instead to PECR, which is the UK law that gives effect to the ePD … Section 17.54 notes that the legislator ‘clearly did not have AVs … in mind’ when the Directive was enacted, and that ‘At the time, the typical terminal equipment was a telephone handset’ … Therefore, care must be taken when interpreting the legislation, so that its underlying rationale, and technology neutral approach is fully understood and any proposals accord with its objectives. The ICO has produced guidance”
on this. It is saying that GDPR rules are clearly not enough on their own.
I was grateful at Second Reading for the Minister’s clear response on the protection of personal data— I may disagree with what he said but I was grateful for the clarity of the response. He said:
“However, data must remain properly protected. Self-driving vehicles will be subject to existing data protection laws in the UK. Our proposed Bill does not alter that, so manufacturers and government will have to ensure that data is protected”.—[Official Report, 28/11/23; col. 1072.]
I remain concerned that the Bill, especially Clause 42, sets out a very high level, a top level, of legislation—whether primary or secondary, of which we know
nothing yet—by which information will be protected, but it does not put in place the mechanisms by which individual people could rest assured that their personal data was being appropriately protected. The ICO further commented on personal data in its response to the Law Commission, at paragraph 12:
“Automated vehicles pose particular challenges in relation to personal data, as often they will process the personal data of several individuals: owners, drivers, passengers and even pedestrians. If the personal data of these users is processed inappropriately, there is a heightened risk of intrusion into individuals’ work and private lives. The Government and technology providers should therefore adopt a data protection by design and default approach, ensuring that privacy protections are built into the design and development of automated vehicles”.
To return to the Bill, Clause 42(4) sets out the offence of breaching data protection, but then Clause 42(5) gives a very wide range of defences, which is, frankly, quite worrying. It says:
“But it is a defence to prove that—(a) the person from whom the information was obtained as described in subsection (1) consented to the disclosure or use, or (b) the recipient reasonably believed that the disclosure or use was lawful”.
I have been trying to think through what this might mean in practice. Let us say that you call an AV—it could be yours; it could be a neighbourhood vehicle; it could be a taxi; it could even be getting on a bus—and when you call it, it will ask you, probably in your app, to confirm the terms and conditions. We all do this every day when we go online; we just tick “Yes”, but do we know what the operating licence holder might be doing with our personal data? Worse, the licence holder or a future recipient of that data, somebody else in the chain of information, might think that disclosure was lawful. Amendment 21 sets out the baseline good practice for any organisation that is dealing with personal data, especially data that the individual is not necessarily aware of.
I want to give the Committee an example I experienced when a number of people and organisations were involved in handling personal data. My dentist—please do not laugh; it is relevant—requires patients to sign online, before they are seen every time, that they are content with their personal, medical and other personal data being held, so that the surgery can better look after patients, with an assurance that it will be held appropriately. That is fine. A couple of years ago, the regular online form changed, and after page one I was asked to sign a different set of Ts and Cs from a specialist data processing company. I clicked through, read the 17-odd pages and discovered that in the small print this multibillion-dollar company wanted my permission to be able to pass my data, medical and personal, on to other interested parties in its group and for other associated services. This included insurance companies, providers of healthcare and pharmaceuticals. I was not happy.
When I raised it with the dental surgery, it was really shocked. It had not clocked the detail because it had not clicked through two or three times, as I had to do, and it dealt with it straightaway, but I am making a point: we are not expecting a single authorised organisation to process all the data. There will be many different tracks coming down the line, and the problem here was that this was an American company using American law, not GDPR. The defence in Clause 42(5) would
have succeeded, because one would have automatically ticked on the Ts and Cs thing on the app. That is one of the reasons that, at Second Reading, I probed on protection for data. I hope that my amendments will strengthen what the Government are planning to do.
Amendment 21 sets out the criteria that would have to be met before a person or a body would be permitted to be authorised as a self-driving entity. First, they must
“have obtained a certificate of compliance with data protection legislation”
from the ICO for their policy of handling of personal data. Secondly, their policy relating to handling personal data of clients, passengers et cetera must clearly outline
“who has ownership of any personal data collected, including after the ownership of a vehicle has ended”.
Thirdly, they must be
“a signatory to an industry code of conduct under the UK General Data Protection Regulation”.
Because I remain concerned about Clause 42, I have laid that it should not stand part, partly as a probing issue to get the issues out and bring a response from the Minister. I hope the Minister can provide the Committee with stronger reassurance than that given at Second Reading, given the 10 pages of response from the ICO to the Law Commission consultation.
I have two further amendments in this group. In every debate so far—and in meetings with the Minister—the Government have made it plain that the Bill is charting new territories and new technologies that not one other country has yet managed to do. Much of the focus on the Bill is understandably on vehicles, but the other element of newer and untested technology is how data will be used. We know just from the advances in AI over the last few months, let alone year, how fast it changes. Amendment 35 sets out for an annual report to Parliament on the use of personal data in relation to automated vehicles. This way, when the sector responds it can see how many breaches there are and how new technology as yet unseen and unknown—not even thought of—will affect individuals. Equally importantly, we will be able to see trends in data collection so that Governments and Parliament can consider whether further legislation is needed to further regulate the collection of data. Amendment 36 sets out the requirement for the Secretary of State to consult with the ICO in relation to the collection of personal data prior to the Secretary of State making any regulations in relation to personal data collection.
I know that the noble Lord, Lord Liddle, made the point about the Secretary of State making these decisions, and I just want to add at this point that this Government have had a habit of pushing an enormous amount of information into secondary legislation. I think we all understand that some of it needs to be there but, particularly with new technologies and new areas, Parliament is very concerned about giving permission for things that are not yet even understood, let alone explicit.
I also want to add that I support the other amendments in this group from my noble friend Lady Bowles and from the noble Lord, Lord Holmes of Richmond, all of which strengthen the protections needed for a technology that will have even more access to people’s
personal data than we know now, whether it is commercial or third-party data. All the amendments in this group are following the ICO’s principal concern.
I say again that AVs pose a risk to individual rights if they have insufficient control over their data and their data protection rights. The ICO says that data systems for AVs should have a data protection system by a design and default approach. After all, it is a new technology.
I really look forward to hearing the Minister’s response. I beg to move.