UK Parliament / Open data

Automated Vehicles Bill [HL]

My Lords, once again I thank noble Lords for their contributions. I begin with Amendments 29, 34 and 42, tabled by the noble Baroness, Lady Bowles of Berkhamsted. The protection of personal and commercial data is of course a critical issue and one that requires careful consideration. On Amendments 34 and 42, all information collected and shared under Clauses 42 and 88 is subject to restrictions on unauthorised use, breach of which constitutes an offence. Where personal data is collected, this is also subject to data protection legislation. This information can be disclosed or used only for the purposes specified in the regulations made under each respective clause.

As set out in our policy scoping notes, this is a novel policy area, and it is not yet known exactly how information may need to be used or shared. However, as the examples in the notes illustrate, this is likely to be for public interest purposes such as road safety or improved passenger services. On the basis that information sharing will be proportionate and in the public interest, a requirement to pay commercial compensation would be inappropriate.

To further support data protection, the Government will be considering the recommendations by the Centre for Data Ethics and Innovation, in its report Responsible Innovation in Self-Driving Vehicles. These include a recommendation to work with the Information Commissioner’s Office to issue guidance on how data protection obligations apply to self-driving vehicles.

On Amendment 29, all information required to be shared under Clause 14 will be subject to the requirements and safeguards of data protection legislation. The Bill does not change these protections. This information will be used for regulatory purposes to ensure the safe and legal operation of self-driving vehicles. It will also be used to determine criminal and civil liabilities associated with the use of these vehicles. Again, these purposes are proportionate and in the public interest. Businesses will be aware of the regulatory requirements for information sharing prior to seeking authorisation or licensing, and the information will be subject to these obligations from the outset. There would therefore be no expectation that it could be treated as commercially confidential information which holds a market value.

I turn to Amendment 31. The department does not notify entities when using information obtained under an investigation and used in the public interest— for example, to improve road safety. In the case of Clause 22(2), the information would be used for

“any of the investigative purposes in relation to any regulated body”.

These purposes aim to ensure the continued safe and legal operation of self-driving vehicles, and are therefore in the public interest.

The amendment would place an additional administrative burden on the Secretary of State that brought minimal benefit to the regulated body in question, as the investigative purpose would continue none the less. In the case of a regulatory issue being identified, the body would be notified by the appropriate regulatory action, such as a compliance notice. This would then allow the regulated body to challenge the use of information by representations under paragraph 5 of Schedule 1.

On Amendment 21, tabled by the noble Baroness, Lady Brinton, I recognise that she made a characteristically incisive series of detailed points on these issues. I will be happy to meet with her, in addition to the separate meeting we have scheduled on accessibility, to have a fuller discussion on her questions, and I extend the same invitation to other noble Lords.

We believe it is right that the protection of personal data will be considered alongside the detailed development of authorisation requirements—it is an important issue. These requirements will be set out in secondary legislation and will be subject to consultation and impact assessment.

The schemes referred to in the amendment are industry led and therefore not within the control of government. There is therefore a risk that they would not achieve the intended result.

On Amendment 35, it is the role of the Information Commissioner’s Office to regulate on data protection issues. The ICO has an existing obligation to report annually to Parliament on the commissioner’s activities. Any report by the Department for Transport would risk duplicating this work. The Department for Transport is also not the data controller for information collected by regulated bodies, which means that such reporting would be inappropriate. Further, the Secretary of State already has a duty under Article 36(4) of the UK GDPR to consult the ICO on proposals for legislative measures. Amendment 36 therefore duplicates an existing requirement.

On Amendment 55B, the Information Commissioner’s Office is the independent regulator responsible for upholding information rights in the public interest. Given its role as a whole-economy regulator, it would be unnecessary and duplicative to establish a separate third-party body, with the same expertise, to oversee the use of personal data by self-driving vehicles.

I turn to the proposal that Clause 42 be removed. Clause 42 contains provisions that constrain the use and disclosure of information obtained through the regulatory framework. The removal of these provisions would open up the possibility of personal data being processed in a much wider manner, such as for reasons of “legitimate interest”. This would amount to a weakening of the data protections in the Bill.

On the points raised about national security, whole-life cyber resilience will be tested as part of the approval processes. The UK has co-chaired the UNECE group developing standards in this area, and government is working with colleagues in the National Cyber Security Centre and the National Protective Security Authority on these issues.

Finally, on the point regarding the protection of personal data when selling a vehicle, in cases where manufacturers and supporting services store data outside the vehicle, all relevant data protections will need to be met. If a vehicle user has given access rights and connections to personal information, it is the responsibility of the user to delete the data from the vehicle. Indeed, this is the same approach as that applied to devices such as mobile phones, which contain similarly large quantities of sensitive data. I ask noble Lords not to press their amendments on this.

Type
Proceeding contribution
Reference
835 cc90-2 
Session
2023-24
Chamber / Committee
House of Lords chamber
Back to top