My Lords, I will speak also to Amendment 140 and the submissions that Clauses 32 to 35 should not stand part. These amendments are designed to clarify the statutory objective of the new information commission; increase its arm’s-length relationship with the Government; allow effective judicial scrutiny of its regulatory function; allow not-for-profit organisations to lodge representative complaints; retain the Office of the Biometrics and Surveillance Camera Commissioner; and empower the Equality and Human Rights Commission to scrutinise the new information commission. The effective supervision and enforcement of data protection and the investigation and detection of offenders are crucial to achieve deterrence, prevent violations, maintain transparency and control options for redress against data misuse.
6.15 pm
Since artificial intelligence often processes personal data, the ICO regulatory function is also pivotal for reaping the benefits of AI while mitigating risk for individuals, be they patients, residents, employees or customers. Furthermore, these changes would address concerns over the impact of the Bill on the UK adequacy decision. The European Commission has already stated that the new powers for the Secretary of State to interfere with the objective and impartial functioning of the Information Commissioner may
result in the withdrawal of the UK adequacy decision, which allows the free flow of personal data, as we have heard—and no doubt we will be discussing that on Wednesday. That would have a major impact on UK businesses in administrative costs alone, and would disrupt trade relationships as well as UK co-operation with the EU on law enforcement and research.
Clause 31, “Duties of the Commissioner in carrying out functions”, introduces competing and ambivalent objectives that would pressure the ICO into condoning breaches of data protection laws against competing interests and reduce the clarity of the regulatory function of the new information commission. Data protection enforcement has already been limited in the UK. During the 2021-22 period, the ICO secured no enforcement notices or criminal prosecutions and issued just four GDPR fines, all of which concerned data security and came to a grand total of just £183,000.
Amendment 138 would amend Clause 31 and clarify the role and statutory objective of the Information Commissioner’s Office by removing unnecessary and potentially counterproductive objectives in transposing relevant case law into the Data Protection Act 2018. This would clearly state in legislation that the ICO had a duty to investigate infringements and ensure the diligent application of data protection rules. If so amended, new Section 120A of the Bill would promote clarity and consistency in the ICO regulatory function. As pointed out by the Institute for Government:
“Clarity of roles and responsibilities is the most important factor for effectiveness”
of arm’s-length bodies such as the ICO.
The Bill will provide significant powers to the Secretary of State to interfere with the objectives and impartial functioning of the new information commission, such as by the appointment of non-executive directors, or by members of the newly formed information commission designating strategic priorities for the commissioner and recommending the adoption of ICO codes of practice before they are submitted to Parliament for consideration.
The clause stand part amendments would remove Clauses 32, 33, 34 and 35 of the Bill, thus limiting the Secretary of State’s powers and leeway to interfere with the objectives and impartial functioning of the new information commission. Further, the amendment would modify Schedule 15 of the Bill to transfer budget responsibility and the appointment process of the non-executive members of the information commission to the relevant Select Committee. If so amended, the Bill would ensure that the new information commission had sufficient arm’s length from the Government to oversee public and private bodies’ uses of personal data with impartiality and objectiveness.
I turn to Amendment 140. The Information Commissioner always claims to be keen to ensure that business is provided with effective guidance and advice. Businesses that have an ongoing contact person find that they can develop a relationship where the ICO official gets to understand the business and can provide useful advice when an issue arises, be it a complaint or a business-initiated question. Not all businesses have a dedicated official. They find the system less satisfactory, with questions being met by being referred to the legislation and guidance rather than tailored advice.
The aim of the amendments, which have been proposed by the British Retail Consortium, is to improve the system by which advice is given and to place an obligation on the commissioner to provide advice. While the current commissioner is at least supportive in principle, there are clearly no guarantees for the future. Amendment 140 would introduce a system of assured advice. As such, where a business received such individualised assured advice, it would be able to act knowing that, if that advice was followed in full, it would not be prosecuted or fined for doing so. It would place an obligation on the commissioner to ensure that a business can request and receive advice on request. That is another way of achieving the same objective but less specific. An example of such advice is the use of CCTV and how it can be legally used in the prevention of crime instore. I very much hope the Minister will consider that proposal, which comes from a business provenance, where there is clearly strong demand for that kind of guidance. I beg to move.