The Parliamentary Under-Secretary of State for Culture, Olympics, Media and Sport (Mr Edward Vaizey)

- Hansard -

Copy Link

-

It is a pleasure to serve under your chairmanship this afternoon, Mr Weir. I was going to begin by saying that today’s debate was no time for clichés but that I felt the hand of history on my shoulder, because I was under the impression that this was the first Backbench Business Committee debate. In fact, it is the first such debate in Westminster Hall—there have, of course, been three previous Backbench Business Committee debates in the Chamber.

However, I will stick with the cliché that the hand of history is on my shoulder as I congratulate my hon. Friend the Member for Harlow (Robert Halfon) on initiating this important debate, because I think it is one of the few times that Parliament has debated properly this important aspect of the internet—that is, how it affects people’s privacy. I suspect that the issue was raised when the Digital Economy Bill was debated at length in the other place—it was debated only briefly in the House of Commons. There have been few, if any, debates on this important issue, which touches almost everyone’s life, or at least those who go online.

Let me begin by setting out a few principles and general thoughts and approaches, before I talk specifically about the Government’s approach to privacy on the internet. On the spectrum of opinion within the coalition, I should say that I am firmly on the civil libertarian wing of the Conservative and Liberal Democrat party. I believe that one of Government’s watchwords should be “Protect individuals’ freedoms.” I campaigned strongly against identity cards, and I believe that the state should not intrude in people’s lives, and should protect the freedoms of individuals when others seek to do so.

I also remain personally concerned about the very serious breaches of people’s privacy on the internet. Many such breaches are unintentional and very few are brokered by internet-based organisations and companies. They are mostly down to the bad behaviour of individuals who would, no doubt, behave badly whether the internet existed or not. A story in The Sun today refers to a lady, Carolyn Owlett, who had her Facebook identity stolen and the serious consequences that had for her. The story is effectively about an unpleasant individual—not Ms Owlett, I hasten to add, but the woman who stole her identity—who used the internet as a tool with which to make someone else’s life a misery. However, that story does not necessarily reflect badly on Facebook. I will come back to the possible remedies for such a situation.

It is important to put the debate in context. We are right to be concerned about the effect of the internet on privacy, but we should also remember that one of the reasons it is having such an impact is that so many of us voluntarily use it. There was a vigorous debate about Facebook’s privacy settings, and that was perfectly legitimate. However, we should remember that the reason Facebook is a big company that knows a lot about many of its users is that almost half the population of this country are members of Facebook, as are more than 500 million people worldwide.

Picking up on the useful intervention of the hon. Member for Falkirk (Eric Joyce) and the illuminating marketing seminar given by my hon. Friend the Member for East Hampshire (Damian Hinds), we should remember that, when it comes to data harvesting, personal data have always been collected by commercial companies to enable them to sell products. I do not have a Tesco clubcard, but those who do are in effect given that card so that Tesco can monitor their spending habits and sell them more products.

Mr Vaizey

- Hansard -

Copy Link

-

My hon. Friend has raised two very important points that encapsulate the two principles behind the debate, which is unsurprising, given that he secured it. First, the internet is an enormous step change in the collection of personal data. What are the implications of that? Secondly, given that enormous step change, what rights—I use the word advisedly—should consumers have to protect their personal data when they interact with organisations on the internet?

Another general point about internet regulation is that a consistent approach to it is rarely adopted. It is always interesting to see those who want the internet to be regulated and those who do not. The hon. Member for Cambridge (Dr Huppert), who made a useful speech attacking the Digital Economy Act 2010, does not want the internet to be regulated when it comes to combating illegal file sharing, but he does want it regulated when it comes to protecting personal data. He kindly let me know that he would have to leave the debate at 4 o’clock to attend an event that he is hosting. He is very knowledgeable on the subject, and I hope that he will be prepared to share with me—an erstwhile colleague—the findings of the Liberal Democrat policy group on that issue, which will be an extremely useful contribution to the debate.

Mr Vaizey

- Hansard -

Copy Link

-

I hear what the hon. Gentleman says; when a senior Liberal Democrat comments that a junior Liberal Democrat is struggling with an issue, the junior Liberal Democrat should certainly take note of his colleague’s experience in the matter. The hon. Member for Bath (Mr Foster) made an incredibly useful contribution to the debate, as he always does, and mentioned the report published today by the Boston Consulting Group, which might have been commissioned by Google. The report estimated that in the UK alone, the internet economy is worth £100 billion. He was right to point out that a balance has to be struck between how we regulate the internet and protect personal privacy online on the one hand, and the fact that it is now an incredibly important economic force on the other. One of the reasons for its economic importance is that it has had the freedom to develop and businesses have had the freedom to establish themselves online.

We should make no mistake that the internet is regulated, a point that I make time and again. There sometimes seems to be a lazy assumption that what happens on the internet is beyond the law. That is absolutely not the case; illegal activity is still illegal, whether or not it takes place online. Indeed, we have a sophisticated and comprehensive regulatory framework that is intended to protect the individual, both offline and online. Matters of online privacy are regulated through the Data Protection Act 1998 and the Privacy and Electronic Communication (EC Directive) Regulations 2003, not to mention the Freedom of Information Act 2000 and the Environmental Information Regulations 2004. Much of that is enforced through the Information Commissioner’s Office, which is responsible for upholding information rights, promoting openness by public bodies and enforcing data protection rights for individuals. Where a breach of those laws amounts to a criminal offence, appropriate enforcement action can be taken, either by the police or the Information Commissioner.

We all recognise, however, that there are practical differences between the online world and the physical world, which can cause difficulties for individuals and companies. My hon. Friend the Member for Harlow suggested that perhaps the time has come for an internet Bill of Rights, and I hear what he says. The Information Commissioner has published a code of practice on the collection of personal information online, and I have a copy here. It is 36 pages long and densely printed—I do not think the commissioner has worked in public relations—so I am not sure that it is being read in the Dog and Duck, but at least the detail exists. The commissioner would do well to meet my hon. Friend to discuss how the code of practice could be promoted and whether it meets some of the concerns that his proposed internet Bill of Rights would seek to address.

The code of practice sets down detailed guidance for public and private sector organisations operating online. It covers topics such as online marketing, cloud computing, the protection of young people online and, of course, privacy settings. The document is not set in aspic, and we continue to debate with a range of stakeholders how we can improve privacy online and other concerns. Only yesterday, the Department for Business, Innovation and Skills held a meeting with more than 100 stakeholders from across the sectors, including consumer interest groups and Consumer Focus, to discuss that issue. The ICO, as well as publishing the guidance, expects organisations to recognise that online processing brings with it new risks to individuals and that the mitigation of those risks requires careful consideration of privacy impacts before products and services are launched.

I want to take that further and to see businesses signing up openly to the ICO’s code of practice to demonstrate to their users that their services adhere to the highest standards. I cannot remember who asked, in an intervention, whether some sort of kitemark might be useful for internet sites. If an internet company signs up to the code of practice and adheres to it, I think that that information should be clearly displayed on their home page for the reassurance of consumers. Indeed, a link to that code of practice might be provided—not necessarily 36 pages of dense text, but an easy-to-read summary that aids the consumer in understanding privacy implications.

Mr Vaizey

- Hansard -

Copy Link

-

I understand the hon. Gentleman’s point, but I want to see self-regulation and voluntary action by organisations on the internet. That is a theme that I want to develop in my speech—I have only one hour and 10 minutes remaining, so I will try to speed up a bit. We have a code of practice that many companies say they adhere to, so that information should be made available to consumers. Critical momentum could be built up if more well-known and legitimate websites signed up to the code, made that plain on their home pages and allowed consumers to see what that code states.

Mr Vaizey

- Hansard -

Copy Link

-

I could not agree more with my hon. Friend. I used to be a lawyer; he used to be a marketer. Marketers are far more useful to society than lawyers. The trouble is that the terms and conditions are written by lawyers who want to cross every t and dot every i to protect their own back in every eventuality. What the consumer wants are easy-to-understand guidelines. That is something that I want to look at with the major internet service providers and websites. I shall expand on that point later in my remarks, probably at about 10 minutes past 5.

The Information Commissioner’s enforcement powers under the Data Protection Act 1998 and the Privacy and Electronic Communication (EC Directive) Regulations 2003 include the issuing of information notices to request information so that he can establish whether legislation is being complied with by an organisation. He can issue enforcement notices if he is satisfied that a data controller—that is, a website—has contravened or is contravening the legislation, for example by failing to process data fairly and lawfully. In addition, the Information Commissioner can issue a civil monetary penalty of up to £500,000 for serious breaches of the Act, although that power only came into force in April 2010. That is an important point, given that I am about to speak about Google Street View and the controversy that surrounds it.

My hon. Friend the Member for Harlow made it clear that part of his reason for calling this debate was to discuss Google Street View and the harvesting of data. Although my hon. Friend the Member for Dudley South (Chris Kelly) is not a civil libertarian, he pointed out that that was possibly the greatest breach of privacy in the history of this country, given the huge amount of data that were collected, although I am not sure that it ranked with the two CDs that went missing from the Inland Revenue.

I am able to update the House on the position. The ICO learned from Google in May that, in addition to the mapping exercise that it was supposed to be undertaking, its Street View cars had unintentionally collected payload data from unsecured wi-fi installations as they passed. It is the Information Commissioner’s job to consider whether in such circumstances there has been a breach of the law. He has been considering the issue and, importantly, has been discussing it with information commissioners in many other countries, including Canada, which my hon. Friend the Member for Dudley South mentioned.

Given that Google reported the breach, the best practice at that point would have been to delete all the data. However, as the Metropolitan police were considering whether the breach warranted an investigation, the data have been kept for evidential purposes. I understand that the police have decided that it would not be appropriate to launch a criminal investigation, so I will meet the Information Commissioner next week to discuss what next step he intends to take in respect of the data, and Google’s breach of data protection. I do not want to pre-empt what the Information Commissioner will decide to do, but normally he would work with the organisation that has committed the breach and put in place mechanisms to ensure that it does not happen again. What is clear is that the Information Commissioner does not have the power to levy a fine because, as I said earlier, that power did not come in until earlier this year.

It is interesting to note that the Federal Trade Commission, which has also been investigating Google’s breach, issued a letter yesterday pointing out that it, too, will not pursue Google on the matter on the basis that, in a series of public round-table events that the FTC hosted during the summer of 2010,

“Google has recently announced improvements to its internal processes to address some of the concerns raised”,

including

“appointing a director of privacy for engineering and product management; adding core privacy training for key employees; and incorporating a formal privacy review process into the design phases of new initiatives. The company also publicly stated its intention to delete the…data as soon as possible”,

and gave assurances that none of the data would be used

“in any Google product or service, now or in the future.”

The other lesson that should be learned from what happened with Street View is that we are in uncharted territory. As the small smart cars with large cameras appeared in our streets, little action was taken by anyone. We took it in our stride—well, my hon. Friend the Member for Milton Keynes North (Mark Lancaster) reminded us that his constituents took action by blockading one of the cars.

My recommendation is that when an organisation undertakes an exercise of that kind in the future, the ICO should put in place ground rules and discuss with it what measures will be taken, so that the organisation does not inadvertently breach data protection rules. I certainly think that if an organisation such as Google decides in the future to undertake a harvesting procedure of that kind, that is what the Information Commissioner should do.

Hon. Members also raised concerns about companies that search the web looking for adverse comments made by customers or staff members on blogs or social networking sites. My hon. Friend the Member for Harlow said that that was out of order. With the greatest respect, I would say to him that that is possibly an example of where we seem to believe that doing something on the internet is wrong when doing something like it offline would be acceptable.

For example, people post comments online. When they do that, they put them into a public space, if they decide not to put in place any privacy settings. They have to comply with the law in the United Kingdom as it stands—the comments cannot be defamatory. This is a matter of judgment for the individual company in terms of its reputation and relationships with its employees and customers, but there is nothing technically wrong in searching websites to see what comments have been made about an organisation. Indeed, as my hon. Friend the Member for Dudley South said, almost poetically, which one of us has not entered their own name in a Google search?

Mr Vaizey

- Hansard -

Copy Link

-

That is a separate point. The point I am making is that if companies decide to search the web to see what people are saying about them online, that is a perfectly legitimate exercise, although there may be a different point in respect of their reputation. What my hon. Friend says about the use of people’s data without their knowledge is important, and I will come on to it, but although I now have an hour left to speak, I have been passed a note by my official which says that I need to speak for only 20 minutes. That gives a flavour of how well this speech is being received, at least in official terms.

Mr Vaizey

- Hansard -

Copy Link

-

If my hon. Friend gives me some evidence, I will look at it and have no hesitation in passing it on to the Information Commissioner, because that behaviour is clearly a breach of data protection.

Mr Vaizey

- Hansard -

Copy Link

-

I think that that would be a breach of my official’s privacy.

I shall turn briefly to Facebook and the consumer’s right to privacy. As I have already talked about the personal information online code of practice, hon. Members will be aware that there was great controversy earlier in the year about Facebook, because its privacy settings were seen as unclear. Its default settings put one in the public space as opposed to the private space, so, suddenly, one had to opt out of rather than into that sphere. I am delighted to say that Facebook has been working closely with colleagues at the Department for Education and is now a member of the UK Council for Child Internet Safety, as is Google and BlackBerry. As such, it follows the good practice guidance—produced to guide companies that provide internet services popular with children and young people—about what additional safeguards it can put in place to protect children online and provide a positive online experience. The guidance includes advice on companies’ obligations to ensure the privacy of their users’ information and on options and settings they can provide users to protect privacy further, and it recommends making information on safety and privacy easily accessible to users, so they understand the privacy options available. The UKCCIS continues to work with companies providing internet services used by children, including Facebook, to improve safeguards, including safeguarding their privacy.

On scraping and cookies, as I am sure hon. Members are aware, a cookie is a piece of text stored by a user’s web browser. There are many uses for cookies, including authentication, storing site preferences and shopping cart contents and as the identifier for a server-based session. Cookies are also used to speed up the user’s web browser as they help to remember the settings and options used the last time a website or page was visited. They have been a hot topic for some time. At the moment, information obtained through cookies can be used to categorise users’ internet interests to serve adverts that match broad interest categories, though the user should be able to refuse the import of cookies on to their machines. Clearly, that has commercial benefits, and, indeed, benefits to the individual—we should not be shy about saying that, and my hon. Friend the Member for East Hampshire was clear about the benefits of targeted marketing to individuals. However, organisations have to ensure that users are aware that they are collecting such information and know why.

The revised e-privacy directive will give users greater control by requiring organisations to get their agreement before the information is collected.

Mr Vaizey

- Hansard -

Copy Link

-

In terms of the UK Council for Child Internet Safety, I think that the issue needs to be addressed. As a matter of principle, we all accept that children deserve greater protection than adults do, whether offline or when accessing content online. We will continue to look at that.

Let us make no bones about it. As the hon. Member for Bath made clear, the key issue is not necessarily the harvesting of data on shopping habits, but the harvesting of data without consent or knowledge. There are some who say for example that Phorm, the company with which BT carried out an experiment, was providing a perfectly legitimate commercial service in allowing organisations to monetise their presence on the web by targeting adverts at certain consumers; if a consumer is particularly interested in a type of car, that advert could appear on screen while they are reading a web page. The website—for example, The Guardian or The Observer—could charge more for that advertisement and, therefore, monetise its online content. That is a legitimate argument, but huge concern was generated because there was no transparency. It was done without consumers’ knowledge and it was unknown what would happen to the data once they were collected or whether they would be transferred to third parties. At the heart of the debate is, above all, transparency over what data organisations harvest and the opportunity for the consumer to choose to opt in.

Mr Vaizey

- Hansard -

Copy Link

-

That is an important part of the debate. I shall talk later about the regulatory framework on e-privacy on which we are consulting, and it will be interesting to see the public’s response. There is certainly a strong argument that the consumer should not only be able to opt in, but know about their right to do so.

We are implementing changes to the e-privacy directive that strengthen privacy regulations in the online world, as part of our implementation of the European framework on electronic communications. We are consulting on those proposals, which could lead to changes to the privacy and electronic communications regulations and strengthen the Information Commissioner’s enforcement powers.

The directive has three key elements. First, effective, proportionate and dissuasive penalties will be introduced for any infringement of the directive’s provisions. Secondly, as part of the implementation of the revised e-privacy directive, we are also consulting on notification procedures for personal data breaches. We propose to ensure that the ICO issues guidance on any change to that notification mechanism and that the guidance will be the subject of a future consultation by the Information Commissioner. Thirdly, other changes to the e-privacy directive address problems with cookies, including any attempt to store information or gain access to stored information in a user’s equipment—using cookies—by requiring the informed consent of the user.

The provision covers legitimate practices that enable the use of many popular websites as well as illegitimate practices, such as spyware and viruses, which are also addressed in other legislation. The Government’s consultation on the implementation of the changes closes in December, and we will publish our response in spring 2011. The new measures will come into force on 26 May 2011.

Implementation of the electronic communications framework is not the only change that we are considering. Following the Lisbon treaty, as well as repeated calls to update the EU’s data protection directive, we expect the European Commission to publish a draft comprehensive instrument for data protection in mid-2011. The new instrument may cover all activities within the scope of European Union law. To inform the UK’s position for those forthcoming negotiations, the Ministry of Justice carried out a call for evidence for three months this summer to gain views on how the current legislative framework is working. Taken as a whole, those changes will usefully strengthen the regulatory framework governing privacy on the internet and will tackle some of the concerns expressed today.

As hon. Members have indicated throughout, there is a fundamental debate about the nature and scope of regulation. Business and the individual have a role to play in ensuring that both users and businesses are aware of their rights and responsibilities online. There is huge scope for self-regulation. The Internet Advertising Bureau has shown how industry can learn from consumer reaction and respond to consumers’ concerns by developing good practice principles. It has developed a website—www.youronlinechoices.co.uk—dedicated to informing consumers about behavioural advertising and offering a simple opt-out mechanism, which it proposed in March 2009, and this country’s advertising industry was the first in Europe to come up with a self-regulatory practice.

Discussions continue to take place between industry bodies at European level. Clearly, greater consumer awareness will help to address many of the concerns raised today and, with the Information Commissioner and industry, we will help with that in so far as is practicable.

I have spoken for almost 40 minutes, so it is time to draw my comments to a close. As a result of this debate and the thinking that went into preparing my comments, I intend to write to the major ISPs and websites, such as Google and Facebook, asking for a meeting. I want to discuss with them not just the general issue of people being aware of what data they may inadvertently be making available online, but the opportunity for redress.

I was struck by the comment from my hon. Friend the Member for Milton Keynes North about the women’s refuge centre whose address was put online, and it was then unable to persuade the organisation that was carrying that information to remove it. That organisation had not deliberately put the information online; it was simply the vehicle on which the information was available. There may be all sorts of reasons why it was difficult to take that information down. It may be that having taken it down, the address simply popped up again elsewhere, but the fact that no meeting or dialogue could take place worries me greatly. I suspect that most hon. Members in the Chamber have had conversations with constituents who have seen information about them online and have simply not known where to turn.

Nominet, the charity that is responsible for internet domain names, runs an extremely effective mediation service, so that people who are disputing the ownership of an internet domain name may be involved in a low-cost process to discuss how to resolve that dispute. It is certainly worth the Government brokering a conversation with the internet industry about setting up a mediation service for consumers who have legitimate concerns that their privacy has been breached or that online information about them is inaccurate or constitutes a gross invasion of their privacy to discuss whether there is any way to remove access to that information. I am sure that many internet companies will say that that is almost impossible, but when one hears stories such as that told by my hon. Friend the Member for Milton Keynes North, one wants at least to attempt to give consumers some opportunity to have a dialogue with internet companies, as they would be able to do if a newspaper had inadvertently published that information.

I hope that hon. Members have found my comments helpful and that I have been able to put into context what is happening with Google’s breach of data on Street View. I have set out my thoughts about personal remarks on the internet, establishing the regulatory regime for cookies and setting out the process that the Government are undertaking to strengthen privacy regulations on the internet alongside our European partners.