The UK Data Protection and Digital Information Bill (the Bill) received its second reading in the House of Lords on 19 December 2023. Although the Bill cleared that crucial milestone, the debate focused on the government’s last-minute introduction of sweeping powers enabling the Secretary of State to require banks and other financial service providers to monitor and to provide information from accounts into which benefits are paid. Although ostensibly intended to identify fraud, the Lords echoed the view expressed by campaigning group, Big Brother Watch, that it would be:
“wholly inappropriate for the UK Government to order private banks, building societies and other financial services to conduct mass, algorithmic, suspicionless surveillance and reporting of their account holders on behalf of the state”.
Mass 24/7 surveillance?
The proposed new powers stem from clause 128 of the Bill and are set out in the new Schedule 11. They would enable the Secretary of State to give an “Account Information Notice” requiring a bank or other provider of financial services to provide information about accounts into which a wide range of “benefits” are paid and in relation to other “linked” accounts. For example, if benefits were paid into a recipient’s current account, then the bank would be required to provide information about any savings or other accounts held by that recipient (whether alone or jointly with others).
Under current law, the Department for Work and Pensions (DWP) can request details of bank accounts and transactions on a case-by-case basis on suspicion of fraudulent activity. Schedule 11 would considerably extend that power, allowing regular checks to be carried out on the bank accounts held by benefit claimants to spot increases in their savings which push them over the benefit eligibility threshold, or when people spend more time overseas than the benefit rules allow for.
Schedule 11 also applies to an extremely wide range of “benefits” including state pensions, universal credit, working tax credit, child tax credit, child benefit, pension credit, jobseeker’s allowance, and personal independence payments. Lord Bassam suggested that the list might cover up to 40% of the UK’s population, while Lord Sikka put the figure at up to 22.6 million. Lord Knight characterised the proposed power as “giving Ministers extensive access to the bank account data of benefit claimants and pensioners without spelling out the precise limitations or protections that go alongside those powers”.
Baroness Young expressed concerns about the extent of intrusion, the wide definition of “benefits” and the potential for further expansion of the powers:
This is legitimising mass surveillance by algorithm. This seems to me to be a major intrusion into the privacy of pretty well all individuals in the UK… It is strange that pension claimants are included. A pension, in my view, is a right, not a benefit;… The Minister said in another place that they intend to extend this sort of surveillance process to other data areas. Can the Minister tell us what other areas and when that extension might take place?
A compliance challenge for banks?
While concerns in the House of Lords focused on the risk of overreach of government into people’s private lives through mass, suspicionless surveillance, the proposals also present a significant practical challenge to banks and other financial service providers.
Schedule 11 makes it clear that it is the bank’s responsibility to identify and provide information from “matching accounts”. On receipt of an Account Information Notice, the bank must provide detailed information including the names of the holders of accounts into which specified benefits are paid together with information about any “linked” accounts. An account is to be regarded as linked to another if the same person holds both accounts. Banks will therefore have to carry out careful data matching exercises and checks to ensure that accounts held by individuals with similar names, or accounts held by individuals who have frequently changed their address, are not erroneously matched, resulting in the disclosure of personal data relating to other customers and amounting to a personal data breach. As such, banks and financial service providers will be under increased financial and resource burdens due to these increased responsibilities.
Failure or delay in providing information would expose banks and other financial services providers to the risk of penalties. The maximum fixed penalty is initially set at £1,000. Daily penalties are initially set at a maximum of £40, though there is power to increase that rate to £1,000 per day if failure extends beyond 30 days. Although nowhere close to the level of fines applicable under UK GDPR, an ongoing failure or delay to provide this information across multiple different accounts could become increasingly costly. As such, the imposition of penalties would be a public matter and would therefore carry the risk of reputational harm. Banks might also be driven to incur the cost of appeal to the Tribunal if penalties are considered to be unwarranted.
Data protection?
Schedule 11 expressly empowers the Secretary of State to require information from “matching” and “linked” accounts, including those held jointly by the recipient of benefits. Information derived from those accounts would be likely to give a detailed and potentially highly intrusive picture of the private lives of all those involved. This is especially the case for those individuals who receive absolutely no benefits at all but share a joint account with someone who does, thereby subjecting them to such unnecessary and intrusive surveillance.
Lord Sikka observed that the scope of the proposed power suggests that the Government is looking for unusual cash-flow patterns. He continued:
“What that means is that, if anyone gives a lump sum to a loved one for Christmas, a birthday, a holiday or home repairs, and it passes through their bank account, the Government could seize on that as evidence of excess resources and reduce or stop their benefits. Suppose that a poor person pawns some household items for a few pounds and temporarily boosts his or her bank balance. Would that person now be labelled a fraudster and lose benefits?… Many retirees have a joint bank account with another member of the family or with a friend. Under the Government’s crazy plans, the third party would also be put under surveillance because they happen to have a joint account”.
Information derived from accounts would be likely to include personal data relating to all account holders, with the risk that some of that information might constitute “special category” data. Schedule 11 expressly provides that in complying with an Account Information Notice, a bank or other financial services provider would be exonerated from any breach of confidence owed to the account holder and also from any other restriction on the processing of information. There is a specific (and somewhat circular) provision relating to processing that would otherwise contravene data protection legislation. While the Schedule 11 power would not authorise and “is not exercisable to require” such unlawful processing, the relevant provision states that “in determining whether processing of personal data would do so, that power is to be taken into account”. While that provision appears to mean that a bank could not rely on Article 6(1)(c) (“processing is necessary for compliance with a legal obligation to which the controller is subject”), it would potentially be able to rely on Article 6(1)(f) (“legitimate interests”) as its lawful basis for disclosure. That position would be somewhat uncomfortable for the bank as it would be open to individuals to object to the bank’s reliance on legitimate interests, requiring a potentially costly and time-consuming balancing exercise in response to each objection received. A bank could seek to manage this risk by undertaking a generic legitimate interest assessment (LIA). However, objections made by individual data subjects under Article 21 must be on “grounds relating to his or her particular situation”. Consequently, a generic LIA would have to be tested in each case against the specific grounds asserted by the data subject. The scope for cost- and time-saving is, therefore, limited.
EU adequacy?
The question of EU adequacy also loomed large in the House of Lords second reading debate. At the start of the House of Commons committee stage the Information Commissioner stated that the Bill would not threaten the EU’s adequacy decision in favour of the UK. However, the force of that statement was considerably diminished by the raft of government amendments tabled just as the Bill was completing its House of Commons stages.
The Information Commissioner issued an updated statement in relation to the Bill as brought to the House of Lords. While still largely positive, the updated statement introduced an important note of caution in relation to the proposed Schedule 11 powers:
“While I agree that the measure is a legitimate aim for government, given the level of fraud and overpayment cited, I have not yet seen sufficient evidence that the measure is proportionate …“”.
Lord Allan of Hallam observed:
The consequences of the loss of EU adequacy, or even significant uncertainty that this is on the horizon, will be that UK businesses that work on a cross-channel basis will be advised by their lawyers to move their data processing capability into the EU. They would feel confident serving the UK from the EU, but not the other way around. This is precisely what has happened in the context of transatlantic data flows and will hardly make Britain the best place in the world to do e-business…we will be taking one step forward but two steps back if that is a consequence of this Bill.
The EU adequacy decision in favour of the UK is due to be reviewed in 2025. However, that review could be accelerated if the EU Commission were to take the view that UK law was diverging in a way that would diminish or undermine the level of protection afforded to data subjects. Bulk digital surveillance has been a point of particular concern from an EU perspective – and bulk surveillance on a “suspicionless” basis is likely to raise significant questions.
Clause 128 and Schedule 11 are likely to generate significant debate and controversy once the House of Lords committee stage gets underway in the coming weeks.