Data Protection Bill [ Lords ] (Morning sitting)
Debate between Darren Jones and Brendan O'Hara(6 years, 1 month ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Brendan O'Hara (Argyll and Bute) (SNP)
It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter.
I support amendment 154. We strongly recommend that if the Government are, as they claim to be, serious about providing the best possible data protection regime to achieve the gold standard that they often talk about for UK citizens, they should look again at the issue of collective redress and make provision for suitably qualified non-profit organisations to pursue data protection infringements and breaches of their own accord, as provided for by the GDPR.
The right hon. Member for Birmingham, Hodge Hill rightly said that the amendments would allow representative bodies to bring such cases, but would also allow individuals to opt out. Currently there is not a level playing field. If the Bill is not amended, the already uneven playing field will become impossibly uneven for individuals whose rights are breached or infringed—probably by a tech giant.
Collective redress was one of the most controversial and hotly debated issues when the Bill was in the House of Lords. The Government resisted all attempts to change it there. There have been slight amendments since then, and an understanding has been reached, but I feel that what the Government propose does not go nearly far enough to address the concerns expressed by Scottish National party and Labour Members.
Anna Fielder, a former chair of Privacy International, wrote:
“Weak enforcement provisions were one of the widely acknowledged reasons why the current data protection laws, in the UK and elsewhere in Europe, were no longer fit for purpose in the big data age. As a result, it has been more convenient for organisations collecting and processing personal information to break the law and pay up if found out, than to observe the law — as profits made from people’s personal information vastly outweighed even the most punitive of fines.”
That is the situation we are in, and it is incumbent on legislators to level the playing field—not to make it even more uneven. However, as the Bill currently stands, it only enables individuals to request that such suitably qualified non-profit organisations take up cases on their behalf, rather than allowing the organisations themselves to highlight where they believe a breach of data protection law has occurred.
All too often, as has been pointed out on numerous occasions, individuals are the last people to know that their data has been unlawfully and in many cases illegally used. They depend on suitably qualified non-profit organisations, which are there to conduct independent research and investigations, to inform them that that is the case. Indeed, there was a very striking example recently in Germany, where the consumer federation took one of the tech giants to court over a number of platform breaches of current German data protection law, and it won. However, there are numerous examples across the world of organisations and groups highlighting bad or illegal practices that would hitherto probably have gone unnoticed here.
Privacy International recently published a report on the use and possible abuse of personal data connected to the rental car market. Which? has carried out research on online toys that are widely available in this country, which could pose serious child safety risks. The Norwegian consumer council has done similar work on toys, as well as exposing unlawful practices by health and dating apps.
Across the world, there are groups that do collective redress work very successfully in Belgium, Italy, Portugal, Spain, Sweden, Canada and Australia. I urge the Government to reconsider the matter and to see the great consumer benefits and protections that would come from accepting amendment 154. It would give not-for-profit organisations the right to launch complaints with a supervisory authority, as well as seeking judicial remedy, when it considered that the rights of a data subject under the GDPR had been breached.
I repeat that at the moment we have an uneven playing field. If the Bill goes through unamended it will become an impossible playing field for consumers, so I urge the Government to accept the amendment.
Darren Jones
I promise not to speak at every opportunity today, Mr Streeter; I am conscious that it is a Thursday and that Members have constituencies to get to, but on this point I will just add my support to the amendment tabled by my right hon. Friend the Member for Birmingham, Hodge Hill.
The Bill puts us in a position that we should not have been in in the first place. The Government’s original view was that they were not going to implement article 80 of the GDPR; they have now gone one step in that direction, and I support the aim that we go the whole hog.
I recognise from my work previous to being an MP that a lot of tech companies are not evil; they want to do the right thing and go about being successful as businesses. It was partly my job in the past to look at these areas of law on behalf of companies, and to work with campaigning groups, regulators and others. It was about being an internal voice to make sure that there was the correct balance within businesses was correct between considering consumers and being pro-business. This amendment would help to facilitate that conversation, because if bodies such as Which? that are private enforcers on behalf of consumers had these legal rights, then of course there would be an obligation on businesses to have ongoing dialogue and relationships. They would have to make sure that consumers’ concerns were at the forefront and that they were doing things in the right way.
The balance to be struck is really important. The Information Commissioner’s Office, for example, has lost quite a lot of staff to other companies recently. The Minister’s Department had to increase the salary bands for ICO staff to try to keep them there. In other sectors of the regulated economy, having private enforcers on behalf of consumers as a collective group works perfectly well for existing regulators.
In the telecommunications sector, in which I have worked in the past, there is Ofcom, which regulates the telecom sector, but there is also Which?, working as a private enforcer under the Consumer Rights Act 2015, which can act on behalf of consumers as a group. That works perfectly well and as my right hon. Friend said, private enforcers will not just start bringing these super-complaints every week, because the risk would be too high. They will only bring these super-complaints when they have failed in their dialogue and have no choice.
Data Protection Bill [ Lords ] (Third sitting)
Debate between Darren Jones and Brendan O'Hara(6 years, 1 month ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Brendan O'Hara (Argyll and Bute) (SNP)
It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter.
I support amendment 154. We strongly recommend that if the Government are, as they claim to be, serious about providing the best possible data protection regime to achieve the gold standard that they often talk about for UK citizens, they should look again at the issue of collective redress and make provision for suitably qualified non-profit organisations to pursue data protection infringements and breaches of their own accord, as provided for by the GDPR.
The right hon. Member for Birmingham, Hodge Hill rightly said that the amendments would allow representative bodies to bring such cases, but would also allow individuals to opt out. Currently there is not a level playing field. If the Bill is not amended, the already uneven playing field will become impossibly uneven for individuals whose rights are breached or infringed—probably by a tech giant.
Collective redress was one of the most controversial and hotly debated issues when the Bill was in the House of Lords. The Government resisted all attempts to change it there. There have been slight amendments since then, and an understanding has been reached, but I feel that what the Government propose does not go nearly far enough to address the concerns expressed by Scottish National party and Labour Members.
Anna Fielder, a former chair of Privacy International, wrote:
“Weak enforcement provisions were one of the widely acknowledged reasons why the current data protection laws, in the UK and elsewhere in Europe, were no longer fit for purpose in the big data age. As a result, it has been more convenient for organisations collecting and processing personal information to break the law and pay up if found out, than to observe the law — as profits made from people’s personal information vastly outweighed even the most punitive of fines.”
That is the situation we are in, and it is incumbent on legislators to level the playing field—not to make it even more uneven. However, as the Bill currently stands, it only enables individuals to request that such suitably qualified non-profit organisations take up cases on their behalf, rather than allowing the organisations themselves to highlight where they believe a breach of data protection law has occurred.
All too often, as has been pointed out on numerous occasions, individuals are the last people to know that their data has been unlawfully and in many cases illegally used. They depend on suitably qualified non-profit organisations, which are there to conduct independent research and investigations, to inform them that that is the case. Indeed, there was a very striking example recently in Germany, where the consumer federation took one of the tech giants to court over a number of platform breaches of current German data protection law, and it won. However, there are numerous examples across the world of organisations and groups highlighting bad or illegal practices that would hitherto probably have gone unnoticed here.
Privacy International recently published a report on the use and possible abuse of personal data connected to the rental car market. Which? has carried out research on online toys that are widely available in this country, which could pose serious child safety risks. The Norwegian consumer council has done similar work on toys, as well as exposing unlawful practices by health and dating apps.
Across the world, there are groups that do collective redress work very successfully in Belgium, Italy, Portugal, Spain, Sweden, Canada and Australia. I urge the Government to reconsider the matter and to see the great consumer benefits and protections that would come from accepting amendment 154. It would give not-for-profit organisations the right to launch complaints with a supervisory authority, as well as seeking judicial remedy, when it considered that the rights of a data subject under the GDPR had been breached.
I repeat that at the moment we have an uneven playing field. If the Bill goes through unamended it will become an impossible playing field for consumers, so I urge the Government to accept the amendment.
Darren Jones
I promise not to speak at every opportunity today, Mr Streeter; I am conscious that it is a Thursday and that Members have constituencies to get to, but on this point I will just add my support to the amendment tabled by my right hon. Friend the Member for Birmingham, Hodge Hill.
The Bill puts us in a position that we should not have been in in the first place. The Government’s original view was that they were not going to implement article 80 of the GDPR; they have now gone one step in that direction, and I support the aim that we go the whole hog.
I recognise from my work previous to being an MP that a lot of tech companies are not evil; they want to do the right thing and go about being successful as businesses. It was partly my job in the past to look at these areas of law on behalf of companies, and to work with campaigning groups, regulators and others. It was about being an internal voice to make sure that there was the correct balance within businesses between considering consumers and being pro-business. This amendment would help to facilitate that conversation, because if bodies such as Which? that are private enforcers on behalf of consumers had these legal rights, then of course there would be an obligation on businesses to have ongoing dialogue and relationships. They would have to make sure that consumers’ concerns were at the forefront and that they were doing things in the right way.
The balance to be struck is really important. The Information Commissioner’s Office, for example, has lost quite a lot of staff to other companies recently. The Minister’s Department had to increase the salary bands for ICO staff to try to keep them there. In other sectors of the regulated economy, having private enforcers on behalf of consumers as a collective group works perfectly well for existing regulators.
In the telecommunications sector, in which I have worked in the past, there is Ofcom, which regulates the telecom sector, but there is also Which?, working as a private enforcer under the Consumer Rights Act 2015, which can act on behalf of consumers as a group. That works perfectly well and as my right hon. Friend said, private enforcers will not just start bringing these super-complaints every week, because the risk would be too high. They will only bring these super-complaints when they have failed in their dialogue and have no choice.
Data Protection Bill [ Lords ] (Second sitting)
Debate between Darren Jones and Brendan O'Hara(6 years, 1 month ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Brendan O'Hara
The hon. Gentleman is absolutely correct; I was just getting on to the point about the information held by the Home Office. If it cannot be checked and if it is wrong at source, it is wrong at the end of the process. As far as I can see, there are no safeguards against that. He is absolutely correct that one early error in data collection and processing becomes an irrefutable and indisputable fact by the time it reaches the Home Office. The Home Office could then base its case against an individual on that wrong information.
The hon. Gentleman is right—as constituency MPs, there is not one of us, I am sure, who is not painfully aware of wrong information being held not just by the Home Office, but by a whole range of Departments. That makes the exemption fundamentally unfair. This is an issue of basic fairness and there is little wonder it has been so loudly and roundly condemned by civil liberties groups and many in the legal profession. If we go ahead with the schedule as it stands, it fundamentally changes how we can operate and how we can help people who require our assistance.
At the moment, we have subject access requests. As matters stand, the Home Office and the subject or their legal representative have a right to access the same information, on which legal claims and challenges are based. Surely, if both sides do not have access to the same information, the fairness of any legal proceedings is inevitably compromised. Subject access requests are often the only route through which a legal professional can make representations on very complicated issues on behalf of their client. Indeed, for clients who have been victims of domestic abuse and are fleeing an abusive partner, sometimes a subject access request is all that stands between them and a successful application to remain.
This exemption will reduce legal representatives’ ability to best represent their clients and it removes a fundamental tool for holding the Home Office to account when it either gets things wrong or chooses to ignore or misrepresent the facts. The exemption is fundamentally unfair and as unnecessary as it is disproportionate. I urge the Government to reconsider.
Darren Jones
I support the amendment tabled by my right hon. and hon. Friends, because there are some harsh realities about this exemption for effective immigration control, including the harsh reality that such an exemption right does not exist under the GDPR. Indeed, it is a new exemption compared with the law that exists today under the Data Protection Act 1998.
This broad, undefined exemption really must be restricted. I declare an interest. My wife is Australian and is here on a spousal visa. I therefore assume that, as a British citizen, I too could be subject to my rights being exempted for the effective control of immigration in order to understand what my wife is up to. I should declare for the record that her staying here in the UK is perfectly legitimate. This is a wide-ranging exemption that could apply to EU citizens, non-EU citizens and, as I say, British citizens who are connected with those who are subject to immigration controls.
This is not just an issue for the Home Office; there is data across various Departments that could be of use to the Home Office for the effective control of immigration. Indeed, we have been waiting for quite some time for the Government to publish the biometric strategy, setting out how they intend to use lots of biometric data across Government Departments. We have been waiting for a couple of years to see how the Government intend to do that.
My understanding is that if all the photographs held on our passports and driving licences were collated, in essence the Government would have the power to have a virtual ID card for the bulk of the adult population in this country. How on earth would that information be used for the effective control of immigration, which would potentially be applied to so many people here in the UK?
This exemption creates a derogation for many rights: the right to information, the right to access, the right to explanation, the right to erasure, the right to restriction of processing, the right to data portability, the right to object, and all the principles set out in article 5 of the GDPR. This is an enormous derogation from rights that our colleagues in Europe think are important. Again, this relates to the risk of failing to seek adequacy in our negotiations with the EU.
I seek not only to support the amendment but to ask the Minister to clarify something. If the Government do not support the amendment, how does the exemption fit within the language of article 23 of the GDPR, which states that it can only exist
“when such a restriction respects the essence of the fundamental rights”—
which we have already noticed today are being repealed by this Government—
“and freedoms and is a necessary and proportionate measure in a democratic society”?
My assertion is that this exemption goes too far and, therefore, that the amendment tabled by my right hon. and hon. Friends is perfectly sensible. I look forward to it receiving Government support.
Data Protection Bill [ Lords ] (First sitting)
Debate between Darren Jones and Brendan O'Hara(6 years, 1 month ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Brendan O'Hara (Argyll and Bute) (SNP)
I rise in support of new clause 12, for two reasons. With the Bill as it stands, we see an erosion of the rights of UK citizens in a range of areas. This is particularly important because, as drafted, the EU (Withdrawal) Bill, eliminates important rights that are protected by article 8 which would otherwise constrain Ministers’ ability to erode the fundamental data protection rights that we currently enjoy.
On top of that, it is essential that, post-Brexit, the United Kingdom has an adequacy agreement with the rest of the European Union. As we have heard from the right hon. Member for Birmingham, Hodge Hill, if the United Kingdom fails to secure an adequacy agreement, I fear there will be a flight of high-tech, high-skilled jobs from the United Kingdom to other parts of the European Union.
For the UK to be able to take full advantage of this vital continued free flow of data with the rest of the European Union post Brexit, the most straightforward route is an adequacy agreement. As I have heard argued before, that decision is not as straightforward as one would hope. An adequacy agreement is not simply in the Commission’s gift to give; it is a legal judgment.
If I could point again to the data protection lawyer, Rosemary Jay, who said that the EU had to go through a legislative process, and it was simply not in the EU’s gift to do this in any informal way. The Commission has to go through a legislative process in order to give the UK an adequacy agreement. There are further complications because, with an adequacy agreement, the European Commission has to consider a variety of issues, such as the rule of law, respect for human rights, and legislation on national public security and criminal law. That being so, as it currently stands, the Investigatory Powers Act may well prove a block to achieving adequacy. The Act has already been accused of violating the European Union’s charter of fundamental rights. Eduardo Ustaran, the internationally recognised expert, has said:
“What the UK needs to do is convince the Commission—and perhaps one day the European Court of Justice—that the Investigatory Powers Act is compatible with fundamental rights. That’s a tall order”.
While I can understand that the Government are absolutely desperate to secure an adequacy agreement, the harsh reality is that, in these challenging circumstances and with this challenging legal process, it is not going to be as simple as perhaps we had hoped.
No one wants this situation to arise; it is absolutely essential that we have this deal, but, as GDPR evolves over time—as it surely will—in order to maintain that adequacy status, should we attain it, the UK will have to keep its data protection law in line with GDPR. The EU charter of fundamental rights and freedoms is absolutely central to EU data protection law. If we exclude ourselves now from article 8, the chances of achieving adequacy are seriously jeopardised, and the chances of maintaining adequacy are further jeopardised. I urge the Government please to consider the long and short-term consequences of not accepting this new clause. Without article 8, I cannot see how we will achieve or maintain adequacy, and if we cannot achieve and maintain adequacy, the consequences for UK high-tech businesses are unfathomable.
Darren Jones (Bristol North West) (Lab)
Thank you, Mr Hanson. It is a pleasure to serve under your chairmanship on my first Bill Committee.
I rise to support the comments made by my right hon. Friend the Member for Birmingham, Hodge Hill about the importance of adequacy and its link to article 8 of the charter of fundamental rights, and therefore in support of new clause 12. The Bill is pragmatic in seeking to bring GDPR principles into areas of non-EU competence and to provide a legislative parking space for GDPR if the UK leaves the European Union. However, we cannot get away from the fact that GDPR in itself has a legal basis that is anchored to the European charter of fundamental rights. In trying to copy and paste that level of protection into UK law, we must therefore also bring with it the fundamental rights to which it is attached.