Data Protection and Digital Information (No. 2) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Julia Lopez
Main Page: Julia Lopez (Conservative - Hornchurch and Upminster)Department Debates - View all Julia Lopez's debates with the Department for Science, Innovation & Technology
Data Protection and Digital Information (No. 2) Bill
Julia Lopez ExcerptsMonday 17th April 2023
(1 year ago)
Commons ChamberRead Full debate Data Protection and Digital Information Bill 2022-23 Read Hansard Text Read Debate Ministerial Extracts
The Minister for Data and Digital Infrastructure (Julia Lopez)
I beg to move, That the Bill be now read a Second time.
Data is already the fuel driving the digital age: it powers the everyday apps that we use, public services are being improved by its better use and businesses rely on it to trade, produce goods and deliver services for their customers. But how we choose to use data going forward will become even more important: it will determine whether we can grow an innovative economy with well-paid, high-skill jobs, it will shape our ability to compete globally in developing the technologies of the future and it will increasingly say something about the nature of our democratic society. The great challenge for democracies, as I see it, will be how to use data to empower rather than control citizens, enhancing their privacy and sense of agency without letting authoritarian states—which, in contrast, use data as a tool to monitor and harvest information from citizens—dominate technological advancement and get a competitive advantage over our companies.
The UK cannot step aside from the debate by simply rubber-stamping whatever iteration of the GDPR comes out of Brussels. We have in our hands a critical opportunity to take a new path and, in doing so, to lead the global conversation about how we can best use data as a force for good—a conversation in which using data more effectively and maintaining high data protection standards are seen not as contradictory but as mutually reinforcing objectives, because trust in this more effective system will build the confidence to share information. We start today not by kicking off a revolution, turning over the apple cart and causing a compliance headache for UK firms, but by beginning an evolution away from an inflexible one-size-fits-all regime and towards one that is risk-based and focused on innovation, flexibility and the needs of our citizens, scientists, public services and companies.
Businesses need data to make better decisions and to reach the right consumers. Researchers need data to discover new treatments. Hospitals need it to deliver more personalised patient care. Our police and security services need data to keep our people safe. Right now, our rules are too vague, too complex and too confusing always to understand. The GDPR is a good standard, but it is not the gold standard. People are struggling to utilise data to innovate, because they are tied up in burdensome activities that are not fundamentally useful in enhancing privacy.
A recently published report on compliance found that 81% of European publishers were unknowingly in breach of the GDPR, despite doing what they thought the law required of them. A YouGov poll from this year found that one in five marketing professionals in the UK report knowing absolutely nothing about the GDPR, despite being bound by it. It is not just businesses: the people whose privacy our laws are supposed to protect do not understand it either. Instead, they click away the thicket of cookie pop-ups just so they can see their screen.
The Bill will maintain the high standards of data protection that British people rightly expect, but it will also help the people who are most affected by data regulation, because we have co-designed it with those people to ensure that our regulation reflects the way in which real people live their lives and run their businesses.
Christine Jardine (Edinburgh West) (LD)
Does the Minister agree that the retention and enhancement of public trust in data is a major issue, that sharing data is a major issue for the public, and that the Government must do more—perhaps she can tell us whether they intend to do more—to educate the public about how and where our data is used, and what powers individuals have to find out this information?
Julia Lopez
I thank the hon. Lady for her helpful intervention. She is right: as I said earlier, trust in the system is fundamental to whether citizens have the confidence to share their data and whether we can therefore make use of that data. She made a good point about educating people, and I hope that this debate will mark the start of an important public conversation about how people use data. One of the challenges we face is a complex framework which means that people do not even know how to talk about data, and I think that some of the simplifications we wish to introduce will help us to understand one of the fundamental principles to which we want our new regime to adhere.
Sir Julian Lewis (New Forest East) (Con)
My hon. Friend gave a long list of people who found the rules we had inherited from outside the UK challenging. She might add to that list Members of Parliament themselves. I am sure I am not alone in having been exasperated by being complained about to the Information Commissioner, in this case by a constituent who had written to me complaining about a local parish council. When I shared his letter with the parish council so that it could show how bogus his long-running complaint had been, he proceeded to file a complaint with the Information Commissioner’s Office because I had shared his phone number—which he had not marked as private—with the parish council, with which he had been in correspondence for several years. The Information Commissioner’s Office took that seriously. This sort of nonsense shows how over-restrictive regulations can be abused by people who are out to stir up trouble unjustifiably.
Julia Lopez
Let me gently say that if my right hon. Friend’s constituent was going to pick on one Member of Parliament with whom to raise this point, the Member of Parliament who does not, I understand, use emails would be one of the worst candidates. However, I entirely understand Members’ frustration about the current rules. We are looking into what we can do in relation to democratic engagement, because, as my right hon. Friend says, this is one of the areas in which there is not enough clarity about what can and cannot be done.
We want to reduce burdens on businesses, and above all for the small businesses that account for more than 99% of UK firms. I am pleased that the Under-Secretary of State for Business and Trade, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake), is present to back up those proposals. Businesses that do not have the time, the money or the staff to spend precious hours doing unnecessary form-filling are currently being forced to follow some of the same rules as a billion-dollar technology company. We are therefore cutting the amount of pointless paperwork, ensuring that organisations only have to comply with rules on record-keeping and risk assessment when their processing activities are high-risk. We are getting rid of excessively demanding requirements to appoint data protection officers, giving small businesses much more flexibility when it comes to how they manage data protection risks without procuring external resources.
Those changes will not just make the process simpler, clearer and easier for businesses, they will make it cheaper too. We are expecting micro and small businesses to save nearly £90 million in compliance costs every year: that is £90 million more for higher investment, faster growth and better jobs. According to figures published in 2021, data-driven trade already generates 85% of our services exports. Our new international transfers regime clarifies how we can build data bridges to support the close, free and safe exchange of data with other trusted allies.
John Penrose (Weston-super-Mare) (Con)
I am delighted to hear the Secretary of State talk about reducing regulatory burdens without compromising the standards that we are none the less delivering—that is the central distinction, and greatly to be welcomed for its benefits for the entrepreneurialism and fleetness of foot of British industry. Does she agree, however, that while the part of the Bill that deals with open data, or smart data, goes further than that and creates fresh opportunities for, in particular, the small challenger businesses of the kind she has described to take on the big incumbents that own the data lakes in many sectors, those possibilities will be greatly reduced if we take our time and move too slowly? Could it not potentially take 18 months to two years for us to start opening up those other sectors of our economy?
Julia Lopez
I am delighted, in turn, to hear my hon. Friend call me the Secretary of State—I am grateful for the promotion, even if it is not a reality. I know how passionate he feels about open data, which is a subject we have discussed before. As I said earlier, I am pleased that the Under-Secretary of State for Business and Trade is present, because this morning he announced that a new council will be driving forward this work. As my hon. Friend knows, this is not necessarily about legislation being in place—I think the Bill gives him what he wants—but about that sense of momentum, and about onboarding new sectors into this regime and not being slow in doing so. As he says, a great deal of economic benefit can be gained from this, and we do not want it to be delayed any further.
Kit Malthouse (North West Hampshire) (Con)
Let me first draw attention to my entry in the Register of Members’ Financial Interests. Let me also apologise for missing the Minister’s opening remarks—I was taken by surprise by the shortness of the preceding statement and had to rush to the Chamber.
May I take the Minister back to the subject of compliance costs? I understand that the projected simplification will result in a reduction in those costs, but does she acknowledge that a new regime, or changes to the current regime, will kick off an enormous retraining exercise for businesses, many of which have already been through that process recently and reached a settled state of understanding of how they should be managing data? Even a modest amount of tinkering instils a sense among British businesses, particularly small businesses, that they must put everyone back through the system, at enormous cost. Unless the Minister is very careful and very clear about the changes being made, she will create a whole new industry for the next two or three years, as every data controller in a small business—often doing this part time alongside their main job—has to be retrained.
Julia Lopez
We have been very cognisant of that risk in developing our proposals. As I said in my opening remarks, we do not wish to upset the apple cart and create a compliance headache for businesses, which would be entirely contrary to the aims of the Bill. A small business that is currently compliant with the GDPR will continue to be compliant under the new regime. However, we want to give businesses flexibility in regard to how they deliver that compliance, so that, for instance, they do not have to employ a data protection officer.
Ben Lake (Ceredigion) (PC)
I am grateful to the Minister for being so generous with her time. May I ask whether the Government intend to maintain data adequacy with the EU? I only ask because I have been contacted by some business owners who are concerned about the possible loss of EU data adequacy and the cost that might be levied on them as a result.
Julia Lopez
I thank the hon. Gentleman for pressing me on that important point. I know that many businesses are seeking to maintain adequacy. If we want a business-friendly regime, we do not want to create regulatory disruption for businesses, particularly those that trade with Europe and want to ensure that there is a free flow of data. I can reassure him that we have been in constant contact with the European Commission about our proposals. We want to make sure that there are no surprises. We are currently adequate, and we believe that we will maintain adequacy following the enactment of the Bill.
Rebecca Long Bailey (Salford and Eccles) (Lab)
I was concerned to hear from the British Medical Association that if the EU were to conclude that data protection legislation in the UK was inadequate, that would present a significant problem for organisations conducting medical research in the UK. Given that so many amazing medical researchers across the UK currently work in collaboration with EU counterparts, can the Minister assure the House that the Bill will not represent an inadequacy in comparison with EU legislation as it stands?
Julia Lopez
I hope that my previous reply reassured the hon. Lady that we intend to maintain adequacy, and we do not consider that the Bill will present a risk in that regard. What we are trying to do, particularly in respect of medical research, is make it easier for scientists to innovate and conduct that research without constantly having to return for consent when it is apparent that consent has already been granted for particular medical data processing activities. We think that will help us to maintain our world-leading position as a scientific research powerhouse.
Alongside new data bridges, the Secretary of State will be able to recognise new transfer mechanisms for businesses to protect international transfers. Businesses will still be able to transfer data across borders with the compliance mechanisms that they already use, avoiding needless checks and costs. We are also delighted to be co-hosting, in partnership with the United States, the next workshop of the global cross-border privacy rules forum in London this week. The CBPR system is one of the few existing operational mechanisms that, by design, aims to facilitate data flows on a global scale.
World-class research requires world-class data, but right now many scientists are reluctant to get the data they need to get on with their research, for the simple reason that they do not know how research is defined. They can also be stopped in their tracks if they try to broaden their research or follow a new and potentially interesting avenue. When that happens, they can be required to go back and seek permission all over again, even though they have already gained that permission earlier to use personal data. We do not think that makes sense. The pandemic showed that we cannot risk delaying discoveries that could save lives. Nothing should be holding us back from curing cancer, tackling disease or producing new drugs and treatments. This Bill will simplify the legal requirements around research so that scientists can work to their strengths with legal clarity on what they can and cannot do.
The Bill will also ensure that people benefit from the results of research by unlocking the potential of transformative technologies. Taking artificial intelligence as an example, we have recently published our White Paper: “AI regulation: a pro-innovation approach”. In the meantime, the Bill will ensure that organisations know when they can use responsible automated decision making and that people know when they can request human intervention where those decisions impact their lives, whether that means getting a fair price for the insurance they receive after an accident or a fair chance of getting the job they have always wanted.
I spoke earlier about the currency of trust and how, by maintaining it through high data protection standards, we are likely to see more data sharing, not less. Fundamental to that trust will be confidence in the robustness of the regulator. We already have a world-leading independent regulator in the Information Commissioner’s Office, but the ICO needs to adapt to reflect the greater role that data now plays in our lives alongside its strategic importance to our economic competitiveness. The ICO was set up in the 1980s for a completely different world, and the pace, volume and power of the data we use today has changed dramatically since then.
It is only right that we give the regulator the tools it needs to keep pace and to keep our personal data safe while ensuring that, as an organisation, it remains accountable, flexible and fit for the modern world. The Bill will modernise the structure and objectives of the ICO. Under this legislation, protecting our personal data will remain the ICO’s primary focus, but it will also be asked to focus on how it can empower businesses and organisations to drive growth and innovation across the UK, and support public trust and confidence in the use of personal data.
The Bill is also important for consumers, helping them to share less data while getting more product. It will support smart data schemes that empower consumers and small businesses to make better use of their own data, building on the extraordinary success of open banking tools offered by innovative businesses, which help consumers and businesses to manage their finances and spending, track their carbon footprint and access credit.
Jim Shannon (Strangford) (DUP)
The Minister always delivers a very solid message and we all appreciate that. In relation to the high data protection standards that she is outlining, there is also a balance to be achieved when it comes to ensuring that there are no unnecessary barriers for individuals and businesses. Can she assure the House that that will be exactly what happens?
Julia Lopez
I am always happy to take an intervention from the hon. Member. I want to assure him that we are building high data protection standards that are built on the fundamental principles of the GDPR, and we are trying to get the right balance between high data protection standards that will protect the consumer and giving businesses the flexibility they need. I will continue this conversation with him as the Bill passes through the House.
Mike Amesbury (Weaver Vale) (Lab)
I thank the Minster for being so generous with her time. With regard to the independent commissioner, the regulator, who will set the terms of reference? Will it be genuinely independent? It seems to me that a lot of power will fall on the shoulders of the Secretary of State, whoever that might be in the not-too-distant future.
Julia Lopez
The Secretary of State will have greater powers when it comes to some of the statutory codes that the ICO adheres to, but those powers will be brought to this House for its consent. The whole idea is to make the ICO much more democratically accountable. I know that concern about the independence of the regulator has been raised as we have been working up these proposals, but I wish to assure the House that we do not believe those concerns to be justified or legitimate. The Bill actually has the strong support of the current Information Commissioner, John Edwards.
The Bill will also put in place the foundations for data intermediaries, which are organisations that can help us to benefit from our data. In effect, we will be able to share less sensitive data about ourselves with businesses while securing greater benefits. As I say, one of the examples of this is open banking. Another way in which the Bill will help people to take back control of their data is by making it easier and more secure for people to prove things about themselves once, electronically, without having to dig out stacks of physical documents such as passports, bills, statements and birth certificates and then having to provide lots of copies of those documents to different organisations. Digital verification services already exist, but we want consumers to be able to identify trustworthy providers by creating a set of standards around them.
The Bill is designed not just to boost businesses, support scientists and deliver consumer benefits; it also contains measures to keep people healthy and safe. It will improve the way in which the NHS and adult social care organise data to deliver crucial health services. It will let the police get on with their jobs by allowing them to spend more time on the beat rather than on pointless paperwork. We believe that this will save up to 1.5 million hours of police time each year—
Julia Lopez
I know that my hon. Friend has been passionate on this point, and we are looking actively into her proposals.
We are also updating the outdated system of registering births and deaths based on paper processes from the 19th century.
Data has become absolutely critical for keeping us healthy, for keeping us safe and for growing an economy with innovative businesses, providing jobs for generations to come. Britain is at its best when its businesses and scientists are at theirs. Right now, our rules risk holding them back, but this Bill will change that because it was co-designed with those businesses and scientists and with the help of consumer groups. Simpler, easier, clearer regulation gives the people using data to improve our lives the certainty they need to get on with their jobs. It maintains high standards for protecting people’s privacy while seeking to maintain our adequacy with the EU. Overall, this legislation will make data more useful for more people and more usable by businesses, and it will enable greater innovation by scientists. I commend the Bill to the House.