Data (Use and Access) Bill [HL]

Third Reading

My Lords, I will make a brief statement on the devolution status of the Bill. Parts 1, 2, 3 and 7 of the Bill include provisions within the legislative competence of the Northern Ireland Assembly, the Senedd Cymru and the Scottish Parliament. On 22 October, the Secretary of State for Science, Innovation and Technology wrote to counterparts in Northern Ireland, Scotland and Wales, seeking their agreement to initiate the legislative consent process and to support a legislative consent Motion in the Northern Ireland Assembly, the Scottish Parliament and the Senedd Cymru. Since the beginning of the Bill’s passage, my officials have been in regular contact with the Northern Ireland Civil Service, the Welsh Government and the Scottish Government. We are hopeful that the legislative consent process will progress swiftly over the coming weeks, ahead of Report in the other place.

Although it has not been possible to secure consent by this time, I take this opportunity to thank officials in Northern Ireland, Scotland and Wales and express my gratitude for the close working throughout the passage of the Bill. We remain committed to sustained engagement on the Bill with all three devolved Administrations as it progresses through Parliament.

Amendment 1

1: After Clause 80, insert the following new Clause— “Data protection by design: children’s higher protection matters(1) Article 25 of the UK GDPR (data protection by design and by default) is amended as follows.(2) After paragraph 1 insert—“1A. In the case of processing carried out in the course of providing information society services which are likely to be accessed by children, when assessing what are appropriate technical and organisational measures in accordance with paragraph 1, the controller must take into account the children’s higher protection matters.1B. The children’s higher protection matters are—(a) how children can best be protected and supported when using the services, and(b) the fact that children—(i) merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing, and(ii) have different needs at different ages and at different stages of development.”(3) In paragraph 3, for “1 and 2” substitute “1 to 2”. (4) At the end insert—“4. Paragraphs 1A and 1B are not to be read as implying anything about the matters that may be relevant to the assessment of what are appropriate technical and organisational measures for the purposes of paragraph 1 in cases other than those described in paragraph 1A.5. In this Article, “information society services” does not include preventive or counselling services.””Member’s explanatory statement This amendment imposes duties to take account of matters relating to children on controllers involved in providing information society services which are likely to be accessed by children. The duties apply when these controllers are designing the means of processing personal data and when carrying out the processing.

I will now speak to the government amendment tabled in my name. The Government are firmly committed to protecting children’s personal data and ensuring that online services likely to be accessed by children are designed with their safety and privacy in mind. We have listened carefully to the concerns raised in this House during earlier debates and have worked quickly to bring forward this amendment, which reflects those discussions. During the debate on 21 January, I made clear that, while we could not accept Amendment 22 from the noble Baroness, Lady Kidron, which would have placed new duties on all data controllers, the Government were open to a more targeted approach that addressed the areas of greatest concern.

This amendment delivers on that commitment. It amends Article 25 of the UK GDPR, which already requires data controllers to design appropriate organisational and technical measures to implement the data protection principles. The amendment strengthens these obligations for information society services providers, such as social media and the streaming sites likely to be accessed by children.

They will be required to give extra consideration when deciding which measures are appropriate for online services likely to be accessed by children. Specifically, information society services providers must consider

“the children’s higher protection matters”

set out in the clause when designing their processing activities. These are:

“how children can best be protected and supported when using the services, and … the fact that children … merit specific protection with regard to their personal data because they may be less aware of the risks and … their rights in relation to such processing, and … have different needs at different ages and at different stages of development”.

The new duty expressly applies to

My Lords, I support the amendment in the name of the Minister, to which I have added my name, and welcome his words from the Dispatch Box. As he said, this new duty provides a direct and unequivocal legal duty on all information society services likely to be accessed by a child and acknowledges in the Bill that services outside the definition of ISS must also consider children—indeed, they must consider children’s specific protections when determining how to process their data.

For the last decade, I and others have fought to establish minimum standards to ensure the safety and privacy of children in the UK and, over time, we have learned that we cannot assume a trajectory of progress. Standards can go down as well as up, and we cannot be sure that the intentions of Parliament will always be interpreted as robustly as promised.

I am concerned about the impact of tech lobbying on this Bill, the regulator and the Government’s wider digital strategy. I hope that the companies represented by those lobbyists will take note of this amendment as a sign that, when it comes to children, they have absolute responsibilities under the law. The Bill team has persuaded me that the child-specific duties on the ICO in the Bill, in combination with its new reporting duties, mean that the ICO will report separately about steps it has taken and will take to uphold children’s heightened data rights. I would be grateful if the Minister could confirm that that is also the Government’s expectation.

On Report the Minister told the House:

“The new ICO duties set out in the Bill will ensure that where children’s interests are relevant to any activity the ICO is carrying out, it should consider the specific protection of children. This includes when preparing codes of practice”,—[Official Report, 21/1/25; col. 1692.]

including the promised action to deal with the problems of edtech and the new code on AI. I have spoken to many noble Lords in the Lords tech team, and we all welcome and look forward to the promised engagement from both the ICO and the department during the development of those codes.

I thank the Minister and the Bill team for their efforts in introducing this measure, and I ask the Minister to commit to writing to the ICO to confirm its expectation that it will reflect that UK data law has been further strengthened through this new duty to consider children’s higher protection matters. As he said, the AADC is not optional.

Finally, I congratulate the Home Secretary, the Secretary of State for DSIT and the Safeguarding Minister on the Government’s recent announcement that they will introduce legislation to make it illegal to possess, create or distribute AI tools designed to create child sexual abuse material. But I am also keen to recognise that this proposal was originally brought forward by this House as an amendment to this Bill and its predecessor. It would not have been possible without the hard work and support of countless noble Lords and MPs to secure this new law, including but not limited to the noble Lords, Lord Clement-Jones, Lord Stevenson and Lord Bethell, the noble Viscount, Lord Camrose, the noble Baroness, Lady Harding, and my noble friend Lord Russell.

This law addresses a clear and urgent need. I record our collective gratitude to the specialist police officers who, in addition to their front-line duties, took time to bring this issue to our attention and provided advice and input throughout. I also thank 5Rights, the NSPCC, the IWF, the Telegraph, Sky News and the BBC. Pushing for change, even change that is so clearly needed, is the tireless work of many people. Our thanks are due to them as our hearts go out to those who have been victims.

My Lords, the little exchange we have just had, which was most welcome, arose because it became clear in Committee that there were meetings of minds but not meetings of words in what had been presented there. I am pleased to join the noble Baroness, Lady Kidron, in congratulating the department, including the Minister and the Bill team, on listening to the House. When the House gets behind a theme or topic and expresses it across all sides, it is worth listening to what is being said and thinking again about what was originally proposed, so that what comes out in the end is for the good of all.

It is always a bit unnerving to be namechecked in somebody else’s speech, and I am grateful to the noble Baroness, Lady Kidron, for picking up the tech group, as she calls it, which has been following this and other Bills for the past five or six years. It has got together on many occasions to improve what we have seen before us, and I hope that the House recognises that. It is also important to recognise that when we speak as a House, we have a power that is worth engaging with, as we have shown on this occasion. I am grateful to the Minister for recognising that in his words at the Dispatch Box.

My Lords, I rise briefly to congratulate the Minister and the noble Baroness, Lady Kidron, on the amazing work she has done. Furthermore, I appeal to the Government and all the different departments that may be involved in bringing before Parliament any legislation that in any way, shape or form involves children. We have repeatedly had to deal with Bills that have arrived in this House where it is quite clear that the needs and vulnerabilities of children are not being recognised right from the beginning in the way the legislation is put together. We have to pull it apart in this House and put it back together, because it has not been thought of properly in the first place.

I appeal to the Minister to ensure that the left hand knows what the right hand is doing. We need to learn the lessons of the battles that we have had to fight in recent years with a variety of Bills—largely successfully, mainly thanks to the noble Baroness, Lady Kidron. We do not want to keep on repeating those battles. We need to learn and do better.