My Lords, I come to this topic rather late and without the star quality in this area that has today been attributed to the noble Lord, Lord Kirkhope. I acknowledge both the work of Justice in helping me to understand what Clause 28 does and the work of the noble Lord, Lord Clement-Jones, in formulating the probing amendments in this group. I echo his questions on Clause 28. I will focus on a few specific matters.
First, what is the difference between the existing formulation for restricting data protection rights “when necessary and proportionate” to protect national security and the new formulation,
“when required to safeguard national security”?
What is the purpose of that change? Does “required” mean the same as “necessary” or something different? Do the restrictions not need to be proportionate any more? If so, why? Could we have a practical example of what the change is likely to mean in practice?
Secondly, why is it necessary to expand the number of rights and obligations from which competent law enforcement authorities can be exempted for reasons of national security? I can understand why it may for national security reasons be necessary to restrict a person’s right to be informed, right of access to data or right to be notified of a data breach, as under the existing law, but Clause 28 would allow the disapplication of some very basic principles of data protection law—including, as I understand it, the right to have your data processed only for a specified, explicit and legitimate purpose, as well as the right to have decisions made about you not use solely automated methods.
Thirdly, as the noble Lord, Lord Clement-Jones, asked, why is it necessary to remove the powers of the Information Commissioner to investigate, to enter and inspect, and, where necessary, to issue notices? I appreciate that certificates will remain appealable to the Upper Tribunal by the person directly affected, applying judicial review principles, but that is surely not a substitute for review by the skilled and experienced ICO. Apart from anything else, the subject is unlikely even to know that they have been affected by the provisions, given that a certificate would exempt law enforcement from having to provide information to them. That is precisely why the oversight of a commissioner in the national security area is so important.
As for Clauses 29 and 30, I am as keen as anybody to improve the capabilities for the joint processing of data by the police and intelligence agencies. That was
a major theme of the learning points from the London and Manchester attacks of 2017, which I helped to formulate in that year and on which I reported publicly in 2019. A joint processing regime certainly sounds like a good idea in principle but I would be grateful if the Minister could confirm which law enforcement competent authorities will be subject to this new regime. Are they limited to Counter Terrorism Policing and the National Crime Agency?
5.30 pm
Is there a downside to these proposals in terms of losing what the Minister, the noble Lord, Lord Ashton of Hyde, described at Second Reading of the Data Protection Bill in 2017 as
“a single domestic and transnational regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector”?—[Official Report, 10/10/17; col. 126.]
In other words, is there a trade-off for CTP and the NCA between ease of collaboration with MI5 and a new barrier to their collaboration with other parts of policing and law enforcement? Incidentally, such collaboration was another important learning point from the 2017 attacks.
Finally, in relation to all the changes in Clauses 28 to 30, what view has the Information Commissioner expressed about the removal of so many of their oversight functions? Have the proposals been discussed with the EU, which has historically been particularly sensitive about data handling in the field of national security, and what has its response been? It is a familiar theme, no doubt, but what assurance can the Minister give us that these proposed changes will do nothing to jeopardise our data adequacy determination with either the Commission or the Court of Justice of the European Union?