My Lords, I support the amendments in the names of my noble friends Lady Brinton and Lady Bowles. I start by emphasising the importance and strength of the Information Commissioner’s Office’s response to the Law Commissions’ report. Amendment 36 is therefore essential because it involves the ICO in setting the rules and standards.
It seems to me that the issues are twofold: first, the issue of the protection of personal privacy and personal data, and, secondly, the issue of national security. On national security, these vehicles will have an entire knowledge of every part of the UK and the details of the traffic arrangements for the whole of the UK. Can you imagine the impact on the economy of a major cyberattack that could paralyse traffic over a considerable area? I am trying to avoid the idea of some kind of updated version of “The Italian Job”. Any kind of hacking into the system would have national security implications.
Turning to personal privacy, I will pose a couple of simple examples. Imagine that I own a car and I sell it to someone else. The car has collected my data; it knows where I visit on a daily and regular basis. Whose data is it when I sell the car to someone else? The data is an essential part of the operation of that car. It has learnt its way around my city using my favourite routes; it has amended how it operates according to my preferences. At what point does that data cease to
be mine and start to belong to the car or its manufacturer? Do I have a right to say, “Wipe it, start afresh and reinstall”? If that is the case, there is the whole issue of public awareness to be tackled.
My second example is of a taxi company. I hire a taxi, so the company concerned therefore knows where I picked it up and where I left it. Does that data belong to the taxi company or to me? I realise that a taxi company now has data on things such as this, but it is in a very much less systematic way.
Turning to whether Clause 42 should stand part, I will quote a couple of sentences from the clause. It says:
“The Secretary of State may make regulations authorising the recipient to … use the information for a purpose other than the purpose for which it was obtained”.
That is a pretty bald phrase and therefore pretty risky. It adds:
“It is an offence for the recipient to … disclose the information … except as authorised by regulations under subsection (3) or any other enactment”.
That is remarkably broad. It also says that
“it is a defence to prove that … the recipient reasonably believed that the disclosure or use was lawful”.
That is a very weak position. It seems to me that in neither respect does the Bill adhere to data protection norms. I urge the Minister to take it back and look at tightening up the data protection aspects of the Bill, in relation to both data protection for the individual and, as my noble friend Lady Bowles emphasised, the commercial aspects of the rights to data.
9.15 pm