The Earl of Northesk: My Lords, we should not be under any illusions as to the need for data protection legislation. As Simon Davies, director of the Washington-based watchdog group, Privacy International, has observed,
"Surveillance technology has become more powerful and wider ranging than ever. Personal information has come increasingly to cross national boundaries, sidestepping national privacy laws. And the emergence of the Internet has brought with it a whole new dimension for potential intrusion into privacy. Meanwhile, the rules that protect us all from snooping by state and private interests become more meaningless by the day".
At the outset, like my noble friend Lord Wakeham, I should put on record that the Minister deserves much credit. His introduction revealed a most generous approach to the technical aspects of the Bill, which will be enormously beneficial. And, as a recent The Times leader commented, he
"has shown political courage in framing a broad exemption for journalism, research and literary material, without which this legislation could have introduced a privacy law by a side entrance. At worst, it could have imposed a blanket law of press censorship".
That the Government, in the form of the noble Lord, has sought to reconcile the competing interests of the right of free expression and the freedom of the press, as against an individual's right to privacy, is to be applauded. My noble friend Lord Wakeham has already covered the greater part of this ground much more authoritatively than I can and so I do not wish to dwell on it. Suffice to say that my own impression is that the balance has been struck about right.
2 Feb 1998 : Column 467
Lest the Minister feels that I am being unduly deferential, I am bound to say that, in other respects, I have serious reservations about the Bill. Speaking in December 1994 the then commissioner responsible for the single market, Mr. Raniero Vanni D'Archirafi, stated that efforts to create an information society in Europe,
"will be in jeopardy if there is no co-ordination of rules for the exchange of data".
This concept is enshrined in the directive itself. While acceding to the different approaches that member states may have towards the right of privacy and data processing, it states that these may,
"constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law".
Clearly, an underlying purpose of the directive is to facilitate data transfer within the European Community to the benefit of commercial, governmental and other interests. It is ironic, therefore, that the Bill carries with it a heavy burden in terms of the costs of compliance. As Ruth Lea of the IoD has stated,
"However laudable the aims of the legislation, extra costs will be piled on firms".
And from the Local Government Management Board:
"While we support the aims of this Bill, finding the money to implement it will be yet another burden on authorities whose backs are already up against the budgetary wall".
I acknowledge that these costs are, in the words of the Minister, "guesstimates", but, especially in the light of current misgivings about the likely financial impact of resolving the millennium bug, my suspicion is that they could well be an under-estimate.
Financial considerations aside, the Bill's apparent lack of acknowledgement of technological advances is disturbing. Simon Davies has commented that:
"The current British law was already a decade out of date when it was enacted in 1984".
I share that view. The Bill before us today is essentially little more than a re-casting of that legislation with the additional, and more rigorous, requirements of the EU directive thrown in for good measure. In effect, it is almost a quarter of a century past its sell-by date. For example, it makes no attempt to regulate either data-matching or the use of data from public or private CCTV systems. As the Home Office itself has admitted, "The Directive"--and thereby the Bill--
"does not specifically address new technology. It sets a general framework which will apply irrespective of the technology used".
With this in mind, and at what may be a slightly facetious level, I presume that Rory Bremner's "virtual" Minister without Portfolio is an instance where Clause 31 would apply. There is a serious point here. In so far as it may have administrative or commercial applications, the Bill is singularly lacking in any definition of how the technologies of "morphing" and/or "virtuality" are to be treated.
At a more pressing level, your Lordships will be aware that last year's Social Security Administration (Fraud) Act sanctioned data-matching between
2 Feb 1998 : Column 468
government departments for the first time. I note that, during Second Reading, the noble Baroness, Lady Hollis, stated that,
"We shall want assurance that the Bill provides adequate safeguards for data protection. We believe that that may be best achieved, as the data protection registrar says, through a statutory code of practice".--[Official Report, 17/2/97; col. 465.]
The Bill is an opportunity to enact such a code, but it is curiously silent on the matter.
Of course, the underlying purpose of the measure was the rooting out of fraud. I also acknowledge that, as a generality, data-matching can be interpreted as being at variance with a number of the data principles. It could therefore be argued that the Bill does provide the means to control its use and application, particularly in the light of the prior-checking provisions in Clause 21. But this represents a far from adequate safeguard against such a powerful and potentially misleading analytical tool. This is especially so because,
"A disturbing aspect of the Bill as a whole is that in no less than seven instances the Secretary of State will be able to introduce additional exemptions from the Act by statutory instrument".
Justice, in my view, quite rightly, has described it as "unprecedentedly wide".
More than this, a conspicuous feature of the Bill is the extent to which processes within central government are in any event exempted from its provisions. Little wonder that the cost of compliance for Government is comparatively small. On the surface there may be little cause for complaint for the reasons for the exemptions "safeguarding national security", and so on. But as the Data Protection Registrar has commented there is,
"no justification for making provision for the blanket exemption for certain types of data for law enforcement and tax raising purposes".
While accepting that it is a difficult balance to strike, people nonetheless fear the innate capacity of the state to overreach itself in data terms; a capacity which is perhaps best encapsulated in Clause 28(4). By way of example, the DfEE's recent proposals for a national computer record of every pupil's social, economic and ethnic background, as well as academic results and special educational needs, was quite rightly criticised by the Data Protection Registrar.
Like my noble friend Lord Astor, I am also concerned about how the Bill will interact with the Internet. While it could be argued that the composition of their content is a word-processing function, e-mail programs automatically generate a series of personalised database fields in their headers. By any measure these accord with all three definitions of "data" and with that of "processing" in Clause 1. Accordingly, except in so far as they may be subject to the various exemptions in Part IV, all e-mails could be interpreted as being subject to Clause 16. In effect, individuals--perhaps those of your Lordships who use the Internet services of the PDVN--could be required to notify their data processing activities. This is of a piece with the concern expressed by the CBI, as my noble friend Lord Astor explained. I wonder how proportionate the apparent inclusion of those classes of processing is.
In this context, it is worth considering the provisions relating to the eighth data principle in Schedule 1. To all intents and purposes, the Bill is structured so as to
2 Feb 1998 : Column 469
prevent data transfer to third-party countries where the level of data protection is deemed to be inadequate. Quite apart from the difficulties that this creates with respect to transfer by means of home pages on the world wide web, this has very serious implications with respect to e-mail. Notwithstanding Schedule 4, it is entirely possible that the Bill, as drafted, could have the inadvertent effect of blocking the access of UK citizens and businesses to entirely legitimate e-mail communication to certain areas of the world.
Of course, notwithstanding their "public" nature, the same elements of processing apply to Usenet and the world wide web. Specifically, the composition of home pages and newsgroup postings, particularly those that contain statistical information or references to individuals other than the compiler, are almost certain to fall within the remit of the Bill. In this context, it is worth noting that the recent difficulties of the President of the United States owe much to the way in which the Internet currently operates. It was an Internet scandal sheet, the Drudge Report, which broke the story. The content of these web sites--they are frequently referred to as "junk media"--represents neither journalism nor artistic expression in the accepted sense and thereby would lie outside the scope of Clause 31.
Equally, it is "personal data" which are being processed in ways that are inconsistent with the data protection principles. Is it intended that such sites, if they originate within the UK and have UK-based content, should be subject to the Bill? Would they be classified as "in the public interest"? At a more general level, how will the concept of "publication" be interpreted in relation to postings to the Internet? To what extent will Clause 52 be applicable to individuals who innocently download postings on the "net" to their own computers? How is it intended that the Bill will treat closed and/or secure systems, for example, credit card facilities on the net or even the PDVN?
In conclusion, I do not dispute the Data Protection Registrar's description of the Bill as being both "timely" and an "excellent framework", but it is not without its faults. The BMA's eloquent description of previous data protection law as being
"a load of holes joined together"
comes to mind. Such leaky sieves assist no one. As the Bill continues its passage we shall need to guard against perpetuating that sort of regime. The generous approach of the noble Lord, Lord Williams of Mostyn, will make our task very much easier.