Yesterday, RSI testified before a House of Commons Committee about the negative impacts the Data Protection and Digital Information (No. 2) Bill would have if Parliament adopts it.
The Public Bill Committee asked RSI to advise it on clauses 24-26 of the Bill, which would give intelligence-style powers to the police when they want to access and use people’s personal data.
RSI’s UK Accountability Team Leader, Jacob Smith, told the Committee:
‘We argue that the Bill does not strike the right balance between protecting national security and upholding data and privacy rights. We have three main concerns with how the Bill sets out that balance at the moment…
‘We have this altered regime of national security certificates for when law enforcement is taking measures in the name of national security, and we have this new regime of [designation] notices. When law enforcement and the security services are collaborating, the notices [would] allow the law enforcement body working in that collaboration to benefit from the more relaxed rules that are generally only for the intelligence services.
‘From our perspective, there are three main concerns. First, we are not quite sure why these amendments are necessary. Under human rights law, for an interference with somebody’s data or privacy rights to be lawful, it needs to be necessary, and that is quite a high standard. It is not something akin to it being more convenient for us to have access to this data, or more efficient for us to have access to this data; it has to meet a high standard of strict necessity. Looking through the Second Reading debate, the impact assessment and the European convention on human rights analysis, there is no reference to anything that would be akin to necessity. It is all, “It would be easier for law enforcement to have these extra powers. It would be easier if law enforcement were potentially able to use people’s personal data in more ways than they are at the moment.” But that is not the necessity standard.
‘The second concern is the lack of safeguards in the Bill. Another thing that human rights law—particularly article 8 of the ECHR—focuses on is the necessity of introducing additional safeguards to prevent the misuse of legislation that allows public bodies to interfere with people’s privacy rights. At the moment, as the Bill sets out, we [would] have very weak safeguards when both national security certificates and designation notices are in place. At the moment, there is an opportunity, at least on the face of the Bill, for both those measures to be challenged before the courts. However, the issue here is that the Secretary of State [would have] almost a monopoly over deciding whether those notices and certificates get published. So yes, although on the face of the Bill an individual may be able to challenge a national security certificate or a designation notice that has impacted them in some way, in practice they will not be able to do that if they do not know that it exists.
‘Finally, one encompassing issue is the expansive powers for the Secretary of State. One thing that we advocate is increased independent oversight. In the Bill, the Secretary of State has an extremely broad role in authorising law enforcement bodies to process personal data in a way that would otherwise be unlawful and go further than the existing regimes under the Data Protection Act 2018. Those are our three broad concerns in that regard. Ultimately, we do not see that the right balance has been made.’
See the Hansard transcript of the debate here, watch the debate here, and see RSI’s briefing here.