Data Protection Bill [Lords] (Sixth sitting)
Liam Byrne Excerpts(6 years, 1 month ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Liam Byrne (Birmingham, Hodge Hill) (Lab)
On a point of order, Mr Streeter. The Minister suggested this morning that the Secretary of State for Digital, Culture, Media and Sport had not committed to the House yesterday to introduce powers to strengthen the Information Commissioner. However, on checking Hansard over lunch, I noticed that the Secretary of State said that where there is non-compliance with an audit,
“there is a very serious fine, but the question is whether the criminal penalties that can be imposed in some cases should be further strengthened. That detail is rightly being looked at in the discussions on the Data Protection Bill.”—[Official Report, 19 March 2018; Vol. 638, c. 51.]
Most of us would assume that “further strengthened” meant that further powers would be suggested, but the Minister seemed to say this morning that that would not be the case. Could she clarify whether such amendments will be tabled?
The Chair
It is up to the Minister to decide whether she wishes to respond to that point of order.
Brendan O'Hara
Amendments 137, 138 and 139, which stand in my name and that of my hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East, were tabled because we believe that the Bill is incompatible with the devolution settlement, trampling roughshod over areas of wholly devolved competence. Whether by accident or design, the Lords amendments on Leveson—in particular on section 40—that seek to impose a one-size-fits-all Truro to Thurso solution are wholly inappropriate, as they fail to recognise or take cognisance of the fact that in press regulation and criminal justice, to name just two fields, it is the Scottish Parliament, not this place, that has legislative competence. The three amendments draw that distinction and defend the devolution settlement, removing any lingering doubts as to where the hitherto clear legislative boundaries, which have existed since 1998, lie.
Amendment 137 relates to any future inquiry on press standards, styled as Leveson 2. The Scottish National party has been clear throughout that all individuals should be able to seek redress when they feel they have been the victim of press malpractice, and that it benefits each and every one of us to have media that are transparent and accountable. However, we have been equally clear that if there is to be a second part of the Leveson inquiry, the distinct legal context in Scotland must be taken into account. As press regulation and criminal justice are matters for the Scottish Parliament, it is that body that must be consulted about the scale and the scope of any future inquiry and how it will operate in Scotland. As long as the Scottish Government were consulted and the distinct Scottish legal system taken into account, we would be happy to support efforts to establish a second part of a Leveson inquiry because any reasonable person would agree that the terms of reference for that part of the inquiry have not yet been met.
It is unfortunate that we have had to table the amendments. It is not unreasonable to expect the House of Lords to know that press regulation and all the associated issues of the culture, practice and ethics of the press would fall under the devolved competence. A blanket UK-wide amendment would only negatively affect areas of devolved competence. We are disappointed that the amendments were necessary in the first place, but we sincerely hope that Members in all parts of the Committee support our attempts to respect the devolution settlement.
Amendment 139 would ensure that clauses 168 and 169 would extend only to England and Wales and would not apply in Scotland. Again, this is simply a case of our having to tidy up after the Lords. I want to put on record that there is no excuse for what we regard as lazy and entirely inappropriate amendments from the other place. By accident or design, those amendments take no cognisance whatsoever of which powers are devolved and which are reserved. For the future benefit of their lordships, let me say again what I have said on numerous occasions. Although data protection may well be an area of competence reserved to this place, press regulation and criminal justice are wholly devolved to the Scottish Parliament and have been for the past 20 years. If the Bill is not amended, the power of this Parliament will be extended into areas that are solely the preserve of the Scottish Parliament. I believe that will set a very dangerous precedent.
Not only does the Bill drive a coach and horses through the devolution settlement, but I would question why the House of Lords thought it in any way appropriate to apply section 40 of the Crime and Courts Act 2013 to the whole of the United Kingdom, because there is no such piece of legislation as the Crime and Courts Act in Scotland. It simply does not exist. Furthermore, the whole concept of exemplary damages, as I understand is being proposed, is not even recognised and has no equivalent in Scots law. If the Bill were passed unamended, it would force the Scottish Government to pass a legislative consent motion—something they have said they have no intention of doing because, as I said, press regulation and criminal justice are wholly devolved to the Scottish Parliament.
It is simply unacceptable for the UK Parliament to decide what should happen in Scotland with regard to press regulation; that is a job for the Scottish Parliament. The Scottish Government have made it clear that, although they are not opposed to press regulation and are having ongoing discussions with the Scottish media about how best to implement an independent press regulation system, it is for Holyrood to decide on a course of action, not to have it decided for them by Westminster. I fully expect the Government to seek to remove clauses 168 and 169 and the Opposition to seek to restore them on Report. I hope that, when the Labour Opposition do that on Report, they will ensure that what they bring back to the Floor of the House of Commons is compatible with the devolution settlement and that the proposed new clause will exclude Scotland from the section 40 legislation.
It is not enough for the Government to say that they understand and sympathise. I urge the Minister to accept our amendments because they preserve and protect the devolution settlement, which has worked well for the past 20 years in terms of press regulation and criminal justice. I ask the Minister and in particular Conservative Members representing Scottish constituencies to respect the devolution settlement and accept that what came back from the House of Lords flies in the face of the long-established devolution settlement. I ask them to accept that it is wholly inappropriate and inconsistent with Scots law and, therefore, support our amendments.
Liam Byrne
I want to say a few words in defence of the clause and touch on the amendments the Government have proposed. The substance of the clause is an attempt to ensure that we activate the second half of the Leveson inquiry, to look into allegations of collusion between the police and members of the fourth estate.
It is worth reminding ourselves of the absolute horror with which we all looked at the revelations about News International’s malpractice. The idea that individuals from national newspapers could hack phones of pretty much anybody in the country, including most notoriously the phone of poor Milly Dowler, sell that information and turn it into front-page newspaper stories, absolutely shocked us. Serious questions were asked about the way the police investigation was conducted. That is why the House united not just to begin the Leveson inquiry, but to propose a second part to look into the question of police collusion. That element was not possible at the time because of the cases that were coming to court, both civil and criminal. The solution proposed by Mr Cameron, the then Prime Minister, which I believe was supported by the present Secretary of State for Digital, Culture, Media and Sport, was that there should be a second half of the Leveson inquiry. Mr Cameron said:
“One of the things that the victims have been most concerned about is that part 2 of the investigation should go ahead—because of the concerns about that first police investigation and about improper relationships between journalists and police officers. It is right that it should go ahead, and that is fully our intention.”—[Official Report, 29 November 2012; Vol. 554, c. 458.]
Liam Byrne
Like the hon. Gentleman, I wish that the entire media operated with the editorial standards of BBC Essex and the Swindon Advertiser. I was struck by a remarkable statement: that he believes that the mispractice or malpractice still goes on—I have written down carefully the words that he used. I cannot, therefore, understand why the conclusion he draws from the persistence of malpractice is to look the other way and to shut down an inquiry into whether it took place and who the guilty are. I would be grateful if he can correct me on my misunderstanding.
The Chair
Order. First, let me correct a possible misunderstanding. The right hon. Member for Birmingham, Hodge Hill mentioned that clauses 168 and 169 will be debated later. In fact, we are debating them as part of this group, as I tried to make clear when I introduced amendment 137.
Peter Heaton-Jones
Thank you for that clarification, Mr Streeter.
There is nothing remarkable about what I said. Quite clearly, there is still malpractice going on in the journalism industry. Is the right hon. Gentleman honestly trying to say that that is a remarkable thing to say?
Peter Heaton-Jones
It is not remarkable at all. Of course it is going on, but establishing and carrying out Leveson 2 would do nothing to solve that problem and nothing to bring justice to the members of the public who have been done wrong by that small number of journalists who are acting in that way. I do not know why the right hon. Gentleman finds that a remarkable statement to make.
As for the statement that he made on Second Reading—that the Government’s position is to say, “Nothing to see here—absolutely nothing happening”—that is not what the Government are saying at all. The Government’s position is clear: Leveson 2 simply would not do what I think the right hon. Gentleman and probably everyone in this room would like it to do, which is to be some sort of cleansing disinfectant that solves all the problems. It simply will not do that.
Liam Byrne
As much as I respect the hon. Gentleman’s omniscience, how could he possibly know that?
Peter Heaton-Jones
It is a big gamble to spend potentially £50 million when we are not sure whether it will have the required outcome. That is the point. The Lords amendment would start the Leveson 2 process, which would cost at a very conservative estimate £50 million, potentially last for a huge amount of time and still not get to the answer that we want. There must be better solutions.
I had started to discuss the fact that the landscape has changed and that the very framework in which we work has changed markedly since the former Prime Minister made the commitment to go ahead with Leveson 2. There have been huge changes. Not only have we had the Leveson 1 inquiry, which in its own terms of reference touched on many of the issues that the proposed Leveson 2 inquiry would cover, but we have had any number of changes, improvements, and reforms in the way the police and indeed the media operate. We have had Operations Elveden, Tuleta and Weeting, which included Operation Golding, all of which have investigated a wide range of practices in the interaction between the police and members of the media and journalists. At a total cost, incidentally, of about £40 million for those operations, they have done good work and all of them have resulted in significant reform.
When I first joined the journalistic trade, way back in 1986, there was malpractice on a scale that we would not believe, and it was completely normal for journalists to pick up the phone to a friendly police contact and get whatever information they wanted to write their next report. That was absolutely normal. It is not normal now. I am sure it still happens, but it is now not the norm, which is good. That is why we do not want to turn the clock back and commit ourselves to a very long inquiry—a Leveson 2 inquiry—which would not do what we want it to do.
Where malpractice occurs in the media, where cases such as those raised by the right hon. Gentleman come to light, and where members of the public are treated in the most despicable way by journalists, I want people to be able to have the right to redress, to have their day in court, and to be able to say, “This is what has happened and it must change,” but Leveson 2 would not do that. It would not provide the means by which that happened. That is why the Secretary of State for Digital, Culture, Media and Sport was absolutely right to make the decision and to say that Leveson 2 is not on the Government’s agenda, and nor should it go ahead. It is perhaps worth pointing out also that this Government were elected only nine months ago on a manifesto that specifically said that Leveson 2 would not go ahead. That was a manifesto commitment.
Mr Streeter, may I just seek absolute clarification from you? From your earlier instruction, are we now also talking about section 40?
Peter Heaton-Jones
Thank you very much indeed.
I do not really have much to say. To be clear, we are considering the amendment made in the other place. It seeks to enact section 40 of the Crime and Courts Act 2013, which this Government and the Secretary of State have said we will not do—indeed, they have said that we wish to repeal section 40.
It is very clear in my mind that we need to reject the amendment made in the other place. There is a very straightforward reason, which is that section 40 does one key thing: it seeks to persuade media organisations, specifically newspapers, that have not signed up to a recognised regulatory body to do so by providing a financial inducement of the most “blunt instrument” kind.
I have here a document from the House of Commons Library; for the record, I emphasise that the House of Commons Library is neutral. The document discusses why section 40 of the Crime and Courts Act 2013 was introduced. The Library says that it was intended to
“coerce or incentivise publishers to become members of a recognised regulator”.
That is language that we should be worried about. The reason we should be more worried about what section 40 will do—it is pretty straightforward—is that if a member of the public brings a defamation action against a newspaper, it goes to court and the newspaper wins the case, that media organisation is still financially liable to pay the costs of both sides.
Quite simply, that will encourage a lot of entirely superfluous and vexatious legal actions to be brought by people who just have some kind of beef against the media and pockets bulging with cash that allows them to do so. When, as will inevitably happen, the media wins the case, because it was built on sand, the media organisations concerned will be put out of business by the requirement to pay the legal costs on both sides.
Liam Byrne
The Minister is cheering on the hon. Member, but will he for complete clarity remind the Committee who proposed this architecture in the first place? From memory, it was his right hon. Friends the Members for West Dorset (Sir Oliver Letwin) and for Basingstoke (Mrs Miller).
Peter Heaton-Jones
I was not in Parliament at the time. I have only been here for two and a half years. We go back to the point that I made in relation to the previous clause. The ground has shifted. We now know what the effect will be. The other place debated this in some detail; the arguments were put extremely strongly, and by a narrow majority their lordships, as is their right, passed the amendment and asked us to consider it. It is perfectly right that they are asking us to consider it. It is perfectly right that we say: “Up with this we will not put.” Section 40 will have precisely the opposite effect to what probably anyone listening would hope it to have. It will be an extraordinarily damaging measure for the future of the freedom of the press in this country. It will have the effect of preventing publication of material which is in the public interest and which is true, legitimate, and fair, because newspaper proprietors will not be able to afford the risk of going to a court case which they win but still have to pay the costs. It will be an incredible impediment to the free press in this country. For that reason more than any other we must reject the amendments that come from the other place.
The Chair
One or two colleagues have caught my eye because I was not clear enough in my introduction to this section. I invite Mr Liam Byrne to readdress the Committee in relation to these clauses.
Liam Byrne
I am grateful to you, Mr Streeter, for setting that out so clearly. I want to speak in defence of clauses 167 and 168.
I am clearly an innocent abroad in a world that is not innocent. I struggle to follow the argument made by the hon. Member for North Devon. On the one hand he was pretty insistent that malpractice continued, but then invited us to believe that somehow the world had changed comprehensively. Either the world has changed or it has not. I fear that the world has changed a bit, but not enough, so there is still a need for an effective means of offering justice to those who have been maligned by newspapers.
The architecture set up by the right honourable Members for West Dorset and for Basingstoke was complicated. We have a fine tradition of a free press, going back to the restoration. One of the reasons why the industrial and scientific revolutions flourished in this country was that we had a culture of free speech—something that Voltaire admired greatly when he spent time in London. However, the reality is that bad behaviour by the press has destroyed people’s reputations without any real chance of recovery. In a world of social media, when reputations are destroyed, the smears stick to people like tar. They do not go away; they stay with people and scar them for life.
Matt Warman (Boston and Skegness) (Con)
I shall be mercifully brief. As a print journalist for 15 years, I start by saying that the entire industry was genuinely horrified to learn of the extent and the offences that had been committed by organisations that, in the main and over many centuries, worked genuinely in the public interest. We should not forget that journalists who work in the media today, and were doing so while that was going on, are in the main trying to do the kind of public service that we would all defend. We should not underestimate the horror with which the industry greeted the stories of what happened to the Dowler family and many others, be they celebrities or other victims. I hope we would agree across the House that the media in the main have fulfilled that remit. I should also say, as did my hon. Friend the Member for North Devon, that I have a great deal of sympathy with the amendments proposed by the Scottish National party. We should prize consistency above all else in this area.
The right hon. Member for Birmingham, Hodge Hill said that he was surprised to learn that the Government did not seek to proceed with the second part of the Leveson inquiry. It was in our manifesto, so his surprise is surprising. I can only conclude that he did not read the Conservative manifesto. Perhaps he read the Labour manifesto and was so horrified he could not face reading another one.
Matt Warman
The Labour one? Quite right. We should bear in mind the two things used in favour of the position taken by the Conservative party and the Government in the manifesto. The first, as my hon. Friend the Member for North Devon said, is that the world has indisputably moved on. Even Sir Brian Leveson agrees that the world has moved on. The challenges that face our modern media are not the challenges that would have been subject to the Leveson inquiry. The more important point is that, where there are legitimate concerns about the media and how people are treated, the solution to that is effective and independent regulation, and that is what we have now more than ever.
Liam Byrne
The hon. Gentleman served on The Daily Telegraph long enough to know that the IPSO code today bears a striking resemblance to the old editors’ code. Perhaps he could give us the benefit of his experience and tell us whether he is satisfied that the IPSO code meets the tests set out by Sir Brian Leveson and agreed in all parts of the House.
Matt Warman
I will say two things. I had a mercifully limited engagement with what was then the Press Complaints Commission, although we did have to deal with some complaints in my small bit of the paper. Although we took it seriously, it is in no way comparable with the seriousness that IPSO is now taken. That might be down to the fact that the scale of the apology that can be demanded by IPSO, and has to be given, is exponentially greater. That is a crucial deterrent when it comes to the work done by journalists in the newsroom, who sometimes regard their editors as figures of great fear as much as great role models.
The other side is that we have a crucial low-cost arbitration system that allows people who are not of the means that the right hon. Gentleman described to bring cases against the media and get the redress they deserve when people make mistakes. Those are the two crucial differences between the PCC and IPSO. The latter is a fundamentally more powerful, very different regulator, but it has the credibility and independence that IMPRESS will simply never have.
Liam Byrne
The hon. Gentleman was an experienced and respected journalist and has a track record on which to draw in his reflections. He did not quite answer the question whether he thought the code of conduct that IPSO regulates meets the tests set out by Sir Brian Leveson and agreed on both sides of the House. Will he reflect on whether the code of conduct is prone to changes driven through by newspaper editors? There is no guarantee that newspaper editors cannot influence that code, and its shape and bite, in the years to come.
Matt Warman
The right hon. Gentleman is right that there is a continuous thread to the sensible key principles of press regulation, and for journalists to have a role in shaping those is not entirely illegitimate. None the less, we must bear in mind that those principles should serve the public before they serve the press. That is what is in the principles that Sir Brian Leveson sought to suggest. The right hon. Gentleman is right that we agree on those on both sides of the House, and that IPSO strikes the right balance. The sense that both the world and the regulator have changed should reassure both Opposition Members and members of the public who would like the Government to secure a free but sensibly regulated press that serves all of us.
Matt Warman
I agree, which is why IPSO rather than IMPRESS strikes the right balance between the two. The right hon. Member for Birmingham, Hodge Hill made great play of David Cameron promising IPSO, but I would make great play of Government delivering on the manifesto pledges they made when they fought an election in 2017. Not doing what he set out also delivers on a promise—the more recent promise should take precedence.
My hon. Friend the Member for North Devon powerfully made the case against section 40, which seeks to punish the victim. That would obviously have a clear chilling effect not only on our local newspapers, which are often on the brink of bankruptcy, but on the broader media. We can look at fantastic pieces of journalism even today, such as the one about Cambridge Analytica. The Guardian itself says, “Please, we would like your donations so we can keep our valuable journalism free”—the paper has had to fight off three pieces of legal action by Cambridge Analytica and one from Facebook. Those huge corporations seek to shut down legitimate investigation, and the right hon. Member for Birmingham, Hodge Hill suggests that if they were to bring and win cases, The Guardian should pay for them. That is an extraordinary position to take.
Matt Warman
I am sure the right hon. Gentleman is about to assure me that he is not taking that position.
Liam Byrne
Let us be real about this. The idea that companies such as Facebook or Cambridge Analytica will desist from legal action to shut down stories that they do not like—the idea that that will not happen at any time in the future, even under the existing regimes—is for the birds. The argument that is better made by some of the hon. Gentleman’s colleagues is to do with the risk to local newspapers, most of which are now owned by Trinity Mirror, which makes tens of millions of pounds in profit, or the Johnston Press. The point is that vexatious claims can be shut down and thrown out at any one of three stages by the regulator or, before the case goes to arbitration, by the arbitrator or by a judge, so the incidence of costs arising will not be on the scale the hon. Gentleman anticipates. Equally, he must accept that, without a form of low-cost arbitration, justice is denied to people who are maligned by newspapers.
Matt Warman
I enjoyed the right hon. Gentleman’s speech, but I disagree with him profoundly. I worked for a newspaper that had, by comparison with our local papers, an enormous budget. The threat of having to pay the legal bills of Facebook and Cambridge Analytica would have a profoundly chilling effect, even at the very highest level of journalism.
Liam Byrne
Finally and very briefly, the hon. Gentleman is making an eloquent argument. Why, then, was that proposed by the right hon. Members for West Dorset and for Basingstoke? How did they get it so profoundly wrong?
Matt Warman
That is a fascinating philosophical question, but I can only tell the right hon. Gentleman that I would not have voted for it. I appreciate that he will say that it is easy for me to say that now, but the idea that people in this place would be convinced that it is the best possible model is simply not plausible after the statements that my hon. Friend the Member for North Devon and I have made today. Surely we need a set of press regulations that preserves the independence of the media, and their ability to invest in journalism at local and national level, which we all want if we are to hold the powerful to account. We also need regulations that allow hon. Members to say with a clear conscience that we have done nothing that puts those businesses in serious jeopardy.
It does not seem to me that a costly Leveson 2 is the best use of public money, or that the threat of section 40 will ever be the best use of private money, putting legitimate local and national media out of business. Those arguments seem to me like a powerful case for IPSO, and for a sensible look at the sustainability of the press, as the Prime Minister has set about doing. They do not under any circumstances seem to me like a good reason to vote for the amendments.
Margot James
I will set out the Government’s position on clauses 142, 168, 169 and 205, before returning to the amendments in the name of the hon. Member for Argyll and Bute.
As we have heard, clause 142 requires the Government to establish an inquiry with terms of reference similar to those contained in part 2 of the Leveson inquiry, but in relation to data protection only. The Government set out our intention not to reopen the Leveson inquiry in our response to the consultation on the future of the inquiry on 1 March. I will not repeat the arguments in full, but I will say that the Government’s firm focus is on the problems faced by the media right now.
The Government recognise that there is a great deal of feeling on both sides of the debate. We have listened to all views, including those of victims, in reaching a decision. No one seeks to excuse the past behaviour of individual media organisations, nor to legitimise it. As the right hon. Member for Birmingham, Hodge Hill said, some of the stories we heard at the beginning of the Leveson inquiry were horrific. The Government have a duty, however, to make decisions that are proportionate and in the public interest. In the light of all the evidence available, it is apparent that part 2 of the inquiry is no longer appropriate or proportionate.
Part 1 of the inquiry lasted over a year, and heard evidence from more than 300 people, including journalists, editors and victims. Since then, the majority of the Leveson recommendations have been implemented. Three major police investigations examining a wide range of offences have been completed. More than 40 people were convicted, some of whom were sent to prison. There have also been extensive reforms to policing practices, and significant changes to press self-regulation.
As a result, the terms of reference for part 2 have largely been met, and the culture that allowed phone hacking to become the norm has changed. Meanwhile, the media are facing critical challenges that threaten their sustainability, including fake news, declining circulations and gaining revenue from online content. Free and vibrant media are vital to democratic discourse, and we need to tackle those challenges urgently. Holding a costly and time-consuming public inquiry looking predominantly backwards is not the right way to go.
The Government are committed to addressing these issues, and we are developing a digital charter to ensure that new technologies work for the benefit of everyone, with rules and protections in place to keep people safe online and to ensure that personal information is used appropriately. As part of that, we are also undertaking work to ensure that there are sustainable business models for high-quality media online. The media landscape is different and the threats are different, too. Issues such as fake news mean there is a need to protect the reliability and objectivity of information.
Likewise, clauses 168 and 169 are similar to the provisions contained in sections 40 and 42 of the Crime and Courts Act 2013, but apply to breaches of data protection law only. The Government do not believe that introducing a provision similar to section 40 of the 2013 Act into the Bill is appropriate, but in relation to data protection only. That is particularly so given our decision earlier this month to repeal section 40 when there is a suitable legislative vehicle. In coming to that decision, we considered all the available evidence, including the views of respondents to the public consultation that we undertook last year. Many respondents cited concerns about the chilling effect that section 40 would have on the freedom of the press, which was so ably summed up by my hon. Friend the Member for Boston and Skegness.
Liam Byrne
Will the Minister tell the Committee why she supported it when it came to a vote last time?
Margot James
The right hon. Gentleman has made great play of the former Prime Minister’s statement. I remind him that that statement was given six years ago. Much has changed since. My hon. Friend the Member for North Devon tried to make the point that, although we cannot rule out that egregious conduct is still going on in the press, as I imagine there is in virtually every other sector of society, we can agree that much has changed and improved. That is why the Government have changed their direction. I hope that satisfies the right hon. Gentleman.
Margot James
I do not accept that this Bill represents a reduction in the powers of the Information Commissioner, and I do not think that that is her view either. Obviously, I accept what she said in response to questioning from Select Committee on Digital, Culture, Media and Sport. As I have already said, my right hon. Friend the Secretary of State is considering her request, and we are working on the areas where she feels there is a shortfall.
I reassure the Committee that the Bill strengthens ICO’s overall powers. The hon. Member for Sheffield, Heeley has mentioned fines. There are fines of up to 4% of global turnover, or £17 million, both for malpractice itself and for blocking investigations and inquiries mounted by the ICO.
Liam Byrne
One way in which the Government could row in behind a frustrated Information Commission would be to deny Government contracts to companies that are behaving badly. I understand that Cambridge Analytica has Government contracts with both the Foreign Office and the Ministry of Defence. Are they under review?
Margot James
I cannot speak for either of those Departments. We are debating the powers of the ICO rather than contractual matters between private companies and Government Departments. I accept that that is a moot point, but it is not the purpose of this Bill Committee to go into those details.
To return to the points raised by the hon. Member for Sheffield, Heeley, we are strengthening the powers of the Commissioner. We are extending her current power to serve assessment notices on data controllers in public sector bodies to all data controllers across the private sector as well. Those assessment notices will require them to provide evidence of their compliance with the law, and there is now the power to enforce assessment notices by obtaining a warrant to exercise search and seizure powers on behalf of the ICO. The Bill also creates a criminal offence for obstructing a warrant, which is subject to both fines and a criminal record. We are strengthening in those areas and also increasing fines substantially.
Liam Byrne
I understand that the Minister cannot answer the detailed question about Government contracts with, for example, Cambridge Analytica, but does she think, philosophically, that a Government would and should reconsider contracts with companies that are not complying with a reasonable request made by the Information Commissioner?
Margot James
The right hon. Gentleman makes an entirely reasonable point. As I said earlier, I cannot go into it in a debate on this particular Bill, other than to say that he makes a reasonable point.
Clause 143 provides the commissioner with the power to issue an information notice. This is a type of notice that requires a controller or processor to provide the commissioner with specified information within a certain time period.
Question put and agreed to.
Clause 143, as amended, accordingly ordered to stand part of the Bill.
Clause 144 ordered to stand part of the Bill.
Clause 145
False statements made in response to an information notice
Question proposed, That the clause stand part of the Bill.
Liam Byrne
The operation of clause 145 is a matter of great public concern this week, because of the revelations that an app that sat on Facebook collected data for a particular purpose, but they were then re-used by Cambridge Analytica for an entirely different purpose, to bend the outcome of particular elections and, quite possibly, referendums too. Facebook had made a statement that the matter had been resolved a couple of years ago and that the relevant data in question had been deleted. The story has developed over the past 24 hours and former Facebook employees are now alleging that it was not simply 50 million records that were collected for one purpose and re-used for another; there may have been hundreds of millions of records collected for one purpose and used for another.
How will clause 145 bite on a company such as Facebook that may be responding to an information notice issued by the Information Commissioner? The company may have told the Information Commissioner that it was all fine, the data was all deleted and everyone was perfectly satisfied, but a couple of years later it transpires that that is not the case. What would then happen to a company such as Facebook? Is the Minister satisfied that the proposed sanctions and penalties are strong enough? It is not clear to me, given what we now know, that these sanctions are strong enough at all.
Margot James
We are debating a suite of powers as part of the overall powers with which the Bill reinforces the Information Commissioner’s Office. It is not just about clause 145. If a company discloses information unlawfully, there is also a separate offence in clause 170. We are not relying on one clause alone.
Margot James
The clause gives the commissioner the power to issue an enforcement notice, which requires a person to take steps or refrain from taking steps specified in the notice. For example, the commissioner can use an enforcement notice to compel a data controller to give effect to a data subject if they have otherwise failed to do so. Section 40 of the Data Protection Act 1998 made similar provision. In respect of the hon. Lady’s questions concerning the law enforcement aspects of the clause and the need for impact assessments, and the powers that the ICO might need to ensure that those impact assessments are done and are appropriate, I will have to write to her on the details of those latter points.
Question put and agreed to.
Clause 148 accordingly ordered to stand part of the Bill.
Clause 149
Enforcement notices: supplementary
Amendment made: 56, in clause 149, page 83, line 36, leave out “with the day on which” and insert “when”.—(Margot James.)
This amendment is consequential on Amendment 71.
Clause 149, as amended, ordered to stand part of the Bill.
Clause 150
Enforcement notices: rectification and erasure of personal data etc
Question proposed, That the clause stand part of the Bill.
Liam Byrne
The clause bites on the question of individuals’ rights to the erasure of personal data and rectification. I want to give the Minister an opportunity to update the Committee on her conversations with media, culture and other organisations about how she is going to balance the implementation of clause 150 with the ambitions of those organisations to protect archives—not just archives of very large sets of artefacts, such as the Natural History Museum, but those that are run by News UK or Trinity Mirror or the BBC.
The risk that is obviously posed by those organisations is that they often rely on very good, detailed and often quite old archives of news information. The scenario that was put to us last night by lawyers representing a number of those organisations that wanted to give us their views about clauses 168 and 169 was that successful journalism—whether The Daily Telegraph or the Swindon Advertiser—will often rely on excellent archives.
If rich individuals are seeking to create a different truth and a different history, and to exercise their rights under the clause, a risk will be created for those media organisations. I am more worried about the media organisations’ rights than I am about the Natural History Museum and the BBC, because I think the Minister’s Department will do a good job of working out where to put that grey line round what should be protected and what is up for grabs. The example put to us last night was of rich individuals seeking to create a different kind of history—a different kind of past—to bend deliberately the future of reporting by eradicating a record that might be true. The risk that was put to us is that, very often, newspaper legal directors—the poor things often have to advise on this decision—will sometimes conclude that the game is just not worth it and therefore give in to the rich individual to avoid damaging and expensive legal action and delete the records from their archives.
This is a difficult area, where balances have to be struck, but it is a form of litigation that will doubtless continue into the future. We might have just decided to deny access to ordinary people to correct media malpractice, but rich individuals will continue to bring their cases. Will the Minister tell us how the balance will play out in practice? How do we protect the rights of news organisations to run good archives for the benefit of public interest journalism in the future?
Margot James
The clause makes additional provision for enforcement notices where the subject matter of the notice relates to the controller or processor’s failure to comply with the data protection principle of ensuring accuracy. The clause may also apply where a controller or processor has failed to comply with the data subject’s rights on rectification, erasure or restriction of processing under articles 16 to 18 of the general data protection regulation.
We touched on the issue of archives in one of the Committee sittings last week. I explained to the Committee that there is protection for archives under the GDPR, whether they be those of news organisations or of academic sources. We are aware of the concerns expressed by organisations representing archives, and I agree with the right hon. Gentleman that quality journalism often depends on the use of such archives. However, I assure him that my Department will defend the rights of journalists and the press as tenaciously as we would defend the rights of archivists in the great museums of our country against the distortions that he gave as examples of people perhaps wanting to use the right to be forgotten in an excessive manner and in a bid to rewrite history. We are aware of such individuals, and we are comfortable that the GDPR prevents those abuses.
Question put and agreed to.
Clause 150 accordingly ordered to stand part of the Bill.
Clauses 151 and 152 ordered to stand part of the Bill.
Clause 153
Powers of entry and inspection
Question proposed, That the clause stand part of the Bill.
Liam Byrne
Again, on this point, we would benefit from some clarification from the Minister. The story that broke this morning was that the Information Commissioner had, in effect, to go to court to get her warrant to investigate what Cambridge Analytica was up to. There was some speculation as to why Facebook was able to exercise some contractual rights and turn up at the offices of Cambridge Analytica to conduct an inspection. The reports are that, as the situation played out, the Information Commissioner had to tell Facebook legal officers to stand down and to stop what they were doing. As it happened, Facebook wisely decided to follow the Information Commissioner’s orders.
A matter of great concern is that the Information Commissioner has to go through what sounds like a laborious process to get the warrant needed to conduct an investigation that is obviously in the public interest. When we secure, for example, emergency injunctions to stop the publication of material that people do not want published, or when magistrates issue search warrants, most of us with experience of this at a local level would observe that such warrants are often issued in a much faster and less high-profile way than the process the Information Commissioner appears to have to go through.
In effect, Cambridge Analytica has had 48 hours’ notice of the Information Commissioner’s concerns—[Interruption.] I am sorry, but I do not know whether the Minister wants to intervene on that—
Liam Byrne
I am sorry, Mr Hanson. I was not sure whether the Home Office Minister wanted to clarify that point. We know that warrants have to be sought and judicial oversight is important, but the process appears slightly cumbersome. I wonder whether the Minister can tell us whether she is satisfied that the process and the powers that we will equip the Information Commissioner with are as smooth and slick as the new enforcement environment requires.
Margot James
I have just been advised that the existing law is non-custodial criminal sanctions. I have referred to the criminal sanctions with respect to assessment notices, and I will get back to the hon. Lady on the question of the sanctions on the information notices that she has asked about. I am told what I am told; the existing law is non-custodial.
Question put and agreed to.
Clause 154, as amended, accordingly ordered to stand part of the Bill.
Schedule 16
PENALTIES
Amendments made: 123, page 203, line 26, leave out “with the day after” and insert “when”.
This amendment is consequential on Amendment 71.
124, page 204, line 10, leave out “with the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
125, page 205, line 5, leave out “with the day after the day on which” and insert “when”.
This amendment is consequential on Amendment 71.
126, page 205, line 37, leave out “controller or processor” and insert “person to whom the penalty notice was given”.—(Margot James.)
This amendment is consequential on Amendment 52.
Schedule 16, as amended, agreed to.
Clause 155 ordered to stand part of the Bill.
Clause 156
Maximum amount of penalty
Question proposed, That the clause stand part of the Bill.
Liam Byrne
I think we could all do with a bit of clarity, which did not quite emerge in the last debate. My hon. Friend the Member for Sheffield, Heeley, makes an important point: in light of this week’s news, there is real concern that the maximum possible sentences should be on the books to punish people who try to get in the way of investigations by the Information Commissioner. Can the Minister say whether the Information Commissioner is currently able to prosecute people for getting in her way, and whether they could go to jail? That would be clarification No. 1. Clarification No. 2 would be whether, under the Bill the Minister is asking us to agree, that custodial sentence would still remain.
Margot James
I understand that under the current law there are no custodial sentencing provisions, so therefore I cannot argue that they will remain. That does not seem logical at all. The existing DPA offences are for fines only, according to section 60 of the Data Protection Act 1998.
Question put and agreed to.
Clause 156 accordingly ordered to stand part of the Bill.
Clause 157
Fixed penalties for non-compliance with charges regulations
Question proposed, That the clause stand part of the Bill.
Liam Byrne
Given the clarity that the Minister has now furnished for the Committee, and given the scale of wrongdoing that is alleged about Cambridge Analytica and potentially Facebook this week, the question on clause 157 is whether she is satisfied that financial penalties are going to do the job in the years to come. Otherwise, is this a clause on which we need to reflect on Report if not now so that if custodial sentences are not currently available, we might consider introducing them for people who appear determined to move heaven and earth to get in the way and obstruct an Information Commissioner inquiry? Could we perhaps come back to that on Report, rather than simply rely on sanctions such as fixed penalty notices?
Liam Byrne
I beg to move amendment 157, in clause 170, page 96, line 25, at end insert—
“or
(d) was done in the process of making a protected disclosure for any of the purposes of the Employment Rights Act 1996 or the Employment Rights (Northern Ireland) Order 1996 (SI 1996/1919 (NI 16)).”.
This amendment seeks to ensure that the offences listed in the offences of the Bill do not infringe on a worker’s ability to raise public interest concerns about wrongdoing, risk or malpractice.
The Chair
With this it will be convenient to discuss amendment 158, in clause 171, page 97, line 28, at end insert—
“or
(d) was done in the process of making a protected disclosure for any of the purposes of the Employment Rights Act 1996 or the Employment Rights (Northern Ireland) Order 1996 (SI 1996/1919 (NI 16)).”.
This amendment seeks to ensure that the offences listed in the offences of the Bill do not infringe on a worker’s ability to raise public interest concerns about wrongdoing, risk or malpractice.
Liam Byrne
I am grateful to my hon. Friend the Member for Edinburgh South for keeping me warm and enthused.
The amendment is important. None of us wants to damage the right and power of whistleblowers to bring important information into the public domain, sometimes to the attention of regulators, sometimes to the attention of organisations, such as the Health and Safety Executive, and sometimes to the attention of Members. Over the years, we have put in place a good regime in order to ensure that whistleblowers are afforded protections that allow them to come forward with information that is in the public interest.
The reason we have to consider that now is that data protection legislation is being strengthened by the incorporation of GDPR into British law. However, the risk is that the ambiguities that frame the protection of whistleblowers in the Bill are such that many are concerned that whistleblowers will not be given the right protection against data protection legislation.
The Government recognise that it is important to protect whistleblowers. There is a protection in clause 170 for whistleblowers bringing forward information that is
“justified as being in the public interest.”
The argument put to us by Public Concern at Work and others is that that approach is unlikely to be effective. We are told that there will be a new test in law, which will therefore require guidance from the courts. Until that time, the precise meaning will obviously be a bit moot, and the scope of the situations that the Government seek to protect will remain a little uncertain. That uncertainty and ambiguity will jeopardise an individual who might have something important to bring to the attention of the outside world.
Exceptions to violations in personal data confidentiality were recently considered by the Government in section 58 of the Digital Economy Act 2017, which provided a far more comprehensive list of exceptions. Where there is overlap between the Bill and the Digital Economy Act, it appears that the Act deals much more satisfactorily with whistleblowers.
I remind the Committee that section 58 of the Act says that the offence does not apply to a disclosure
“which is a protected disclosure for any of the purposes of the Employment Rights Act 1996 or the Employment Rights (Northern Ireland) Order 1996”.
We therefore have a pretty well established and grounded definition of exceptions. Indeed, it was so well defined and grounded that the Government decided to use that definition in the 2017 Act. It is not clear why the Bill seeks to create alternative definitions and therefore the need for alternative tests and guidance in the courts when we have a definition we can rely on.
The Opposition amendment would return us to what we think was sensible drafting in the Digital Economy Act. That Act is not ancient history—it was only 12 months ago. Otherwise, the risk is that the Government, employers, courts and trade unions will get into an awful muddle as they try to understand which legislation protects whistleblowers in new circumstances. None of us wants to create a situation of uncertainty and ambiguity that stops whistleblowers from coming forward with important information.
I therefore hope we can have a useful debate about why the Government have chosen to introduce new definitions when it is not clear that they are improvements on well-established employment law that dates back to the Employment Rights Act 1996. Let us hear what the Minister has to say, but I hope the Government reflect on the arguments we rehearse this afternoon and introduce further enhancements and perfections on Report.
Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
The right hon. Gentleman is correct: it is essential that we do not create an offence in the clause that will snare whistleblowers. I am sure the Committee shares that goal. Indeed, if we created such an offence, whistleblowers would no longer be whistleblowers—a qualifying disclosure would no longer be a qualifying disclosure if it were an offence under different legislation, including the Bill.
We will listen carefully to what the Minister says, but, to come at it from a slightly different angle, as I understand it, the Employment Rights Act currently requires a “reasonable belief” by the worker making the whistleblowing disclosure that it is in the public interest to disclose that information. That seems a slightly easier test than the one contained in a defence in subsection (2) of the clause, which requires not a “reasonable belief”—those words do not appear—but proof that disclosure was justified in the public interest. There is also a contrast with subsection (3), where a reasonable belief test is applied to a defence but only in circumstances of publication of either journalistic, artistic or literary material.
It is not clear to me why there is a reasonable belief test in subsection (3) but not in subsection (2). I am interested to hear what the Minister has to say about that distinction.
Margot James
I referred to the public interest defence as a flexible defence that would encapsulate non-criminal activities. I do not know whether that satisfies the hon. Gentleman, but a flexible public interest defence is indeed required.
For those reasons, I reassure hon. Members that a further defence providing for whistleblowing is unnecessary. It is telling that there is no such defence in section 55 of the 1998 Act, and we are not aware of any problems with its operation. Hon. Members mentioned section 58 of the Digital Economy Act 2017. That is a difficult comparison. Unlike clauses 170 and 171, section 58 does not contain a straightforward public interest defence, so, unlike the offences in the Bill, there may be no alternative protection for such disclosures. I hope I have given hon. Members sufficient reassurance that they feel confident withdrawing their amendments.
Liam Byrne
I am grateful to the Minister for that reply. She says that she wants to try to update the legislation. I understand what she is trying to do and why she does not accept that there is a complete parallel with the Digital Economy Act. None the less, the new definition will need to be tested in court, new guidance will need to be issued and new ambiguity will therefore be created, which brings with it the risk that important whistleblowers will be dissuaded from bringing forward information that is in our interest and letting it see the light of day.
I hope the Minister reflects on that further. She seeks to create an extension in law to ensure that there is a public interest definition in the round—I can see the enlargement that she is trying to make—but I hope she reflects before Report stage on the challenge that new definitions will have to be tested in court, which will create ambiguity and risk. I do not think she wants to create that risk, but the strategy she sets out does not completely delete it and it remains a concern. I will happily withdraw the amendment, but I ask the Minister to reflect on that point before Report.
Margot James
I am happy to reflect on what the right hon. Gentleman proposes. The last thing we want is to have any chilling effect on would-be whistleblowers.
Liam Byrne
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 170 ordered to stand part of the Bill.
Clause 171
Re-identification of de-identified personal data
Question proposed, That the clause stand part of the Bill.
Darren Jones
It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter. I want to pursue the debate on the re-identification of de-identified personal data because, as the Minister pointed out, under the general data protection regulation, the idea of pseudonymised data comes into the law for the first time. For example, if my name, as my personal data, is turned into #365, it has been pseudonymised, and the question is whether #365 can be unlocked to identify the name “Darren Jones”. Pseudonymising is distinct from anonymising, which cannot be unlocked.
The question has come up a lot in the Select Committee on Science and Technology, in various contexts. I had a conversation with the Minister and her officials in the Select Committee about one scenario—the use of genetic data in the health service, where lots of data from individuals is pooled together for the purpose of learning about trends. It may be re-applied to the individual in the delivery of care. Another example might involve Facebook clients being able to upload customer lists on to the Facebook advertising profile. Each name would be hashed—pseudonymised—but ultimately targeted advertising could be pushed through to the individual’s profile.
Both those scenarios raise a policy question about the end of the process, when it comes back to the individual—the information has been personally identifiable, then is pseudonymised in a pooled way, and is then re-identified. Will those issues give rise to an offence under the part of the Bill that we are considering, and should consent be different, with the potential for pseudonymised data to be re-identified made clear to the end user? The reason I have not tabled any amendments to deal with the point is that I do not know the answer, but I should welcome the Minister’s views, and perhaps a commitment to have a conversation either with the Information Commissioner or the new data and artificial intelligence ethics unit about different types of consent where data is pseudonymised and then re-identified, either for health purposes or targeted advertising.
Darren Jones (Bristol North West) (Lab)
I beg to move amendment 151, in clause 177, page 102, line 13, at end insert—
“(4) Notwithstanding any provision in section 6 of the European Union (Withdrawal) Act 2018, a court or tribunal shall have regard to decisions made by the European Court after exit day so far as they relate to any provision under this Act.”.
For fear of sounding like a broken record, my arguments in favour of the amendment are broadly similar to those for amendment 152—in seeking to assist the Government in our shared aim of getting a decision of adequacy with the European Commission, it would be helpful to set out in the Bill our commitment to tracking and implementing European jurisprudence in the area of data protection. Members will remember that amendment 152 dealt with the European data protection board. Amendment 151 makes the same argument, but in respect of the European Court.
I appreciate that there may be some political challenges in stating the aim that the UK will mirror the European Court’s jurisdiction, but the reality is that developing European data protection law, either directly from the courts or through the European data protection board, will in essence come from the application of European law at the European Court of Justice. The amendment does not seek to cause political problems for the Government, but merely says that we ought to have regard to European case law in UK courts, in order to provide the obligation to our learned friends in the judiciary to have regard to European legal decision making and debates in applying European-derived law in the United Kingdom. This short amendment seeks merely to put that into the Bill, to assist the Government in their negotiations on adequacy with the European Commission.
Liam Byrne
I would like to say a word in support of this important amendment. We had a rich and unsatisfactory debate on the incorporation of article 8 of the European charter of fundamental rights into British law. We think that that would have helped the Government considerably in ensuring that there is no divergence between the European data protection regime and our own. If the Government are successful, they will operate on different constitutional bases, and there is therefore a real risk of divergence over the years to come. I think that everyone on the Committee is now pretty well versed in the damage that that would do to British exports, many of which are digitally enabled. This is a really helpful amendment. It tries to tighten to lockstep that we have to maintain with European data protection regimes, which will be good for exports, services and the British economy, and the Government should accept it.
Margot James
When we leave the European Union, the direct jurisdiction of the Court of Justice of the European Union in the UK will come to an end. Clause 6 of the European Union (Withdrawal) Bill gives effect to that and takes a clear and logical approach to how our domestic courts should approach the case law of the CJEU as a result. In short, where a judgment precedes our exit, it is binding on courts below the Supreme Court. Where a judgment post-dates our exit, our courts may have regard to it if they consider it appropriate, but EU law and the decisions of the ECJ will continue to affect us. The ECJ determines whether agreements that the EU has struck are legal under the EU’s own law. If, as part of our future partnership, Parliament passes an identical law to an EU law, it may make sense for our courts to look at the appropriate ECJ judgments so that we interpret those laws consistently, but our Parliament would ultimately remain sovereign.
Margot James
I would not rule it out, but the negotiations are between two parties, so however much we may wish to maintain our membership of the European data protection board, that might not be something that the EU will grant us. As I say, it is a matter for negotiation and I am sure things will become clearer over the next 12 months. To take an approach now that would require our courts to follow future case law of the CJEU, even if only in some areas, would place limitations on the discretion and independence of our courts.
Liam Byrne
The Minister is trying to protect a discretion that sounds like the defence of a right to depart from EU case law to such an extent that we might jeopardise an adequacy agreement. Surely the point of this amendment is to keep us in lockstep, to de-risk that adequacy agreement for the years to come. That surely must be an object of her Government’s policy.
Margot James
The Government are absolutely committed to getting an adequacy agreement. The Prime Minister has said she wishes to go beyond adequacy in the negotiations. I would like to reassure the right hon. Gentleman that the very opposite is the case. Our courts can have regard to, and that is good enough. There is no reason for this to be different in the area of data protection from what it might be in any other area.
The provision has been discussed at length and agreed to by the House. Hon. Members will be aware that the other place is now scrutinising the EU (Withdrawal) Bill and has focused on this very matter. There is broad agreement that we need to consider how best to ensure that the Bill achieves the policy aim with sufficient clarity. We want to reach agreement on a proposition that commands the greatest possible support. We should, however, be wary of seeking to provide for something that alters the underlying policy in a way that binds or steers our courts towards a particular outcome, for example, by saying that they must have regard in only certain areas of law.
Liam Byrne
I do not quite follow the Minister’s argument. On the one hand, she says that it is the object of Government policy to secure an adequacy agreement and presumably keep that adequacy agreement, if not, indeed, go beyond it. She is now seeking to defend a flexibility that would allow some kind of departure from European norms. I cannot understand how she can quite want her cake and eat it.
Margot James
Courts will be allowed to follow the jurisprudence of the ECJ in this area of data protection. Nothing I am saying is prompting a departure from that position. We see the amendment as going further than we would like to go. By contrast, the Government’s proposed approach to CJEU oversight respects the referendum result and is clear, consistent and achievable.
Cambridge Analytica: Data Privacy
Liam Byrne Excerpts(6 years, 1 month ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Urgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.
Each Urgent Question requires a Government Minister to give a response on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Matt Hancock
I start by paying tribute to the work of the Select Committee, as I have done from this Dispatch Box before. It is doing an incredibly important piece of work. Because of the sensitivities of this, in terms of its political nature and the impact on political campaigning, it is excellent that a cross-party group of MPs is leading work on this, and I pay tribute to Members on both sides of the House for their role in that. I remind them that they ultimately have the power of summons, if people are not giving them good enough answers.
I will ensure that we look into all the considerations my hon. Friend mentions. He raised a point about consent not just being given through a tick box, and this is directly addressed in the Data Protection Bill. Currently, because of the nature of the legislation—the 1998 Act is very old in digital terms—companies can get away with asking for a box to be ticked, even though many people do not read all the small print. The Data Protection Bill will replace the tick-box approach with a principles-based approach, which I think the whole House should support.
Finally, my hon. Friend asked about the powers of the Information Commissioner. He is absolutely right that we must, with the legislation before the House right now, ensure that we get the powers right so that the Information Commissioner can carry out an audit. Such a power is already in the Bill, but the question is whether there is a strong enough backstop for when people choose not to comply with an audit. At the moment, there is a very serious fine, but the question is whether the criminal penalties that can be imposed in some cases should be further strengthened. That detail is rightly being looked at in the discussions on the Data Protection Bill.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
I too pay tribute to the Committee. I also pay tribute to The Guardian newspaper and Carole Cadwalladr for pursuing this with such utter relentlessness, despite the harassment that she has received. If true, these allegations provide an utter indictment of the permissive environment that this Government have created, which has allowed the data giants in this country to be both careless and carefree in their misuse of data. If they are true, 50 million data records have been misused in a way that means rights have been breached, but also in a way that could have affected the outcome of elections and referendums.
I am grateful to the Secretary of State for considering amendments to the Data Protection Bill. Will he confirm that he will bring forward amendments for stronger powers for the Information Commissioner? If he does so, we will back him on them. Will he also now accept our amendments to set a deadline for modernising the e-commerce directive, which treats such companies under laws that were invented before they were even born? Will he think again about making it possible, in the way that we have set out, to bring class actions where data rights are breached so that they are actually accessible to people, and will he support our amendments to require disclosure of funding for the dark social ads that we know can influence elections and, indeed, referendums?
The final point for the Secretary of State to consider is whether the directors of Cambridge Analytica can still be judged fit and proper people to hold directorships. Will he confirm not only that the Information Commissioner will investigate this breach, but that the full weight of Companies House and the Serious Fraud Office are behind it, so that if these people need to be struck off, they are struck off forthwith?
Matt Hancock
I add my praise for the Guardian journalists who have done the work published this weekend. I agree with the right hon. Gentleman on many of the issues he raises. It is best to proceed on this with the cross-party consensus that we have on many such areas. I am not sure about the argument that we have dragged our feet, given that this Government have brought forward the Data Protection Bill, and that this Government supported the general data protection regulation very strongly at European level. We are, indeed, already taking action to put right some of the things that need to be strengthened because of the development of technology.
The right hon. Gentleman asked about the e-commerce directive. With Brexit, we will of course be leaving the e-commerce directive, so it is not a question of updating it, but of what to put in its place. We will be leaving the digital single market, and we have an opportunity to make sure that we get that piece of legislation right for the modern age—supporting innovation, growth and the use of modern technology, but doing so in a way that commands the confidence of citizens.
The right hon. Gentleman asked about the directors of Cambridge Analytica. We will of course ensure that people are operating within the law. The question of whether they are fit and proper persons is for a different Department, but I am certainly very happy to talk about that to my ministerial colleagues.
Data Protection Bill [ Lords ] (Third sitting)
Liam Byrne Excerpts(6 years, 2 months ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Darren Jones (Bristol North West) (Lab)
I beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—
“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.
2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”
It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.
Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.
I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.
I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.
Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake
“a periodic review, at least every four years”
to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.
As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek
“mechanisms to facilitate the effective enforcement of legislation”.
This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must
“have regard to”
various things that happen at European Union level, including
“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.
The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
This is a wise and carefully crafted amendment. Does my hon. Friend agree that it is especially needed because the Government have rather unwisely decided not to incorporate article 8 into British law, which means there is a risk of courts in Europe and Britain interpreting data protection regimes differently, leading to divergence in future?
Darren Jones
I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.
This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.
The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would
“incorporate, with any modifications which he or she”—
that is the Information Commissioner—
“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.
There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.
I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.
Liam Byrne
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.
Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.
However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.
Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.
We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.
Darren Jones
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
Liam Byrne
The Minister seemed to rest her argument on the need to preserve the Information Commissioner’s discretion, which implies that she is trying to protect the commissioner’s ability to go her own way. That will not help us to secure, lock down or nail to the floor an adequacy agreement in years to come. It will put an adequacy agreement at risk.
Darren Jones
My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.
The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.
Margot James
These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.
New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).
New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.
Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.
Liam Byrne
I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
Margot James
I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.
Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.
Liam Byrne
Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?
Margot James
The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—
Liam Byrne
It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?
Margot James
If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.
Liam Byrne
There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.
Margot James
As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.
There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.
Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.
Margot James
The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.
The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.
Liam Byrne
I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.
If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.
The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.
The Chair
As I said, we will deal with the Opposition amendments later in our proceedings.
Amendment 115 agreed to.
Schedule 6, as amended, agreed to.
Clauses 23 and 24 ordered to stand part of the Bill.
Clause 25
Manual unstructured data used in longstanding historical research
Amendment made: 17, in clause 25, page 15, line 40, leave out “individual” and insert “data subject”.—(Margot James.)
Clause 25 makes provision about the processing of manual unstructured data used in longstanding historical research. This amendment aligns Clause 25(1)(b)(i) with similar provision in Clause 19(2).
Clause 25, as amended, ordered to stand part of the Bill.
Clause 26
National security and defence exemption
Question proposed, that the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for the Home Department (Victoria Atkins)
It is a pleasure to serve under your chairmanship, Mr Streeter. Clause 26 creates an exemption for certain provisions in the Bill only if that exemption is required for the purpose of safeguarding national security or for defence purposes. Where processing does not meet these tests, the exemption cannot apply. It is possible to exempt from most but not all the data protection principles the rights of data subjects, certain obligations on data controllers and processors, and various enforcement provisions, where required to safeguard national security or for defence purposes. In relation to national security, the exemption mirrors the existing national security exemption provided for in section 28 of the 1998 Act. The statutory framework has long recognised that the proportionate exemptions from the data protection principles and the rights of data subjects are necessary to protect national security. The Bill does not alter that position.
The exemption for defence purposes is intended to ensure the continued protection, security and capability of our armed forces and of the civilian staff who support them—not just their combat effectiveness, to use the outdated language of the 1998 Act. In drafting this legislation, we concluded that this existing exemption was too narrow and no longer adequately captured the wide range of vital activities that are undertaken by the Ministry of Defence and its partners. We have seen that all too obviously in the last two weeks.
Victoria Atkins
If the right hon. Gentleman is going to disagree with me that combat effectiveness would be a very narrow term to describe the events in Salisbury, of course I will give way.
Liam Byrne
I actually wanted to ask about interpreters who support our armed forces. There is cross-party consensus that sometimes it is important to ensure that we grant leave to remain in this country to those very brave civilians who have supported our armed forces abroad as interpreters. Sometimes, those claims have been contested by the Ministry of Defence. Is the Minister confident and satisfied that the Ministry of Defence would not be able to rely on this exemption to keep information back from civilian staff employed as interpreters in support of our armed forces abroad when they seek leave to remain in this country?
Victoria Atkins
I cannot possibly be drawn on individual applications for asylum. It would be wholly improper for me to make a sweeping generalisation on cases that are taken on a case-by-case basis. I refer back to the narrow definition that was in the 1998 Act and suggest that our enlarging the narrow definition of combat effectiveness would mean including the civilian staff who support our brave troops.
The term “defence purposes” is intended to be limited in both application and scope, and will not encompass all processing activities conducted by the Ministry of Defence. Only where a specific right or obligation is found to incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. The Ministry of Defence will continue to process personal information relating to both military and civilian personnel in a secure and appropriate way, employing relevant safeguards and security in accordance with the principles of the applied GDPR. It is anticipated that standard human resources processing functions such as the recording of leave and the management of pay and pension information will not be covered by the exemption.
Liam Byrne
I am sorry to press the Minister on this point, and she may want to write to me as a follow-up, but I think Members on both sides of the House have a genuine interest in ensuring that interpreters who have supported our troops abroad are able to access important information, such as the terms of their service and the record of their employment, when making legitimate applications for leave to remain in this country—not asylum—or sometimes discretionary leave.
Victoria Atkins
I am very happy to write to the right hon. Gentleman about that. The exemption does not cover all processing of personal data by the Ministry of Defence, but I am happy to write to him on that subject.
It may assist the Committee if I give a few examples of processing activities that might be considered to fall into the definition of defence purposes requiring the protection of the exemption. Such processing could include the collation of personal data to assist in assessing the capability and effectiveness of armed forces personnel, including the performance of troops; the collection and storage of information, including biometric data necessary to maintain the security of defence sites, supplies and services; and the sharing of data with coalition partners to support them in maintaining their security capability and the effectiveness of their armed forces. That is not an exhaustive list. The application of the exemption should be considered only in specific cases where the fulfilment of a specific data protection right or obligation is found to put at risk the security capability or effectiveness of UK defence activities.
The hon. Member for Sheffield, Heeley asked for a definition of national security. It has been the policy of successive Governments not to define national security in statute. Threats to national security are constantly evolving and difficult to predict, and it is vital that legislation does not constrain the security and intelligence agencies’ ability to protect the UK from new and emerging threats. For example, only a few years ago it would have been very difficult to predict the nature or scale of the threat to our national security from cyber-attacks.
Clause 26 does not provide for a blanket exemption. It can be applied only when it is required to safeguard national security or for defence purposes.
Data Protection Bill [ Lords ] (Morning sitting)
Liam Byrne Excerpts(6 years, 2 months ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Darren Jones (Bristol North West) (Lab)
I beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—
“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.
2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”
It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.
Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.
I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.
I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.
Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake
“a periodic review, at least every four years”
to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.
As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek
“mechanisms to facilitate the effective enforcement of legislation”.
This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must
“have regard to”
various things that happen at European Union level, including
“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.
The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
This is a wise and carefully crafted amendment. Does my hon. Friend agree that it is especially needed because the Government have rather unwisely decided not to incorporate article 8 into British law, which means there is a risk of courts in Europe and Britain interpreting data protection regimes differently, leading to divergence in future?
Darren Jones
I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.
This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.
The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would
“incorporate, with any modifications which he or she”—
that is the Information Commissioner—
“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.
There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.
I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.
Liam Byrne
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
It is a pleasure to serve under your chairmanship, Mr Streeter. I thank the hon. Member for Bristol North West, who has great knowledge of these issues and has put his thoughts on his amendment very well to the Committee. As the Prime Minister said in her Mansion House speech, the ability to transfer data across international borders is crucial to a well-functioning economy, and that will remain the case after we leave the European Union. We are committed to ensuring that uninterrupted data flows between the UK and the EU continue. One way we can help to ensure that we have the foundations for that relationship is to continue to apply our exceptionally high standards for the protection of personal data.
Amendment 152 relates to the applied GDPR, which exists to extend GDPR standards to personal data processed for purposes outside the scope of EU law that may be otherwise left unregulated. The amendment is to schedule 6 of the Bill, which creates the applied GDPR by modifying the text of the GDPR so that it makes sense for matters outside the scope of EU law. The extension of GDPR standards is vital, because having a complete data protection regulatory framework will provide the UK with a strong foundation from which to protect people’s personal data and secure the future free flow of data with the EU and the rest of the world. Applying consistent standards ensures that those bodies—mostly public authorities—who process personal data, both in and out of the scope of EU law, experience no discernible operational difference when doing so.
However, the applied GDPR, although very close, is not identical to the GDPR known as the real GDPR. The differences are primarily the inevitable result of extending text designed for the EU to matters over which the UK and other member states retain competence. Reference to member states becomes a reference to our country; reference to the supervisory authorities becomes a reference to the Information Commissioner, and so on. Similarly, the applied GDPR, as a purely domestic piece of regulation, is outside the scope of the functions of the European data protection board and the EU Commission.
Decisions and guidance issued by the European Data Protection Board will have an important bearing on the GDPR as implemented in the UK. To ensure that the interpretation of the applied element of the GDPR remains consistent with the interpretation of the real GDPR, it is right that the Information Commissioner should have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions, as the UK regulator and enforcer of the applied GDPR. However, the amendment goes further, by requiring her to incorporate them into her guidance and codes of practice. The effect of that is to extend the ambit of the European data protection board so that, uniquely among member states, it would have within its purview processing outside the scope of EU law, when that processing was undertaken in the UK.
We do not agree that such an extension is required for the UK to achieve the relationship that we are seeking. By contrast, the current requirement in paragraph 49 of the schedule, for the commissioner to have regard to decisions and guidance issued by the European Data Protection Board in carrying out her functions means that she can and, in some cases, should incorporate into her guidance what she recognises as relevant and necessary. We are confident that that, founded on the commissioner’s discretion, remains the best approach. On that basis, I hope that the hon. Member for Bristol North West feels able to withdraw his amendment.
Darren Jones
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
Liam Byrne
The Minister seemed to rest her argument on the need to preserve the Information Commissioner’s discretion, which implies that she is trying to protect the commissioner’s ability to go her own way. That will not help us to secure, lock down or nail to the floor an adequacy agreement in years to come. It will put an adequacy agreement at risk.
Darren Jones
My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.
The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.
Margot James
These Government amendments concern the issue of class representation for data protection breaches. Article 80(1) of the GDPR enables a not-for-profit organisation to represent a data subject on their behalf, if the data subject has mandated them to do so. The Bill gives effect to the same right in clause 183. Where a not-for-profit organisation wants to bring a claim on behalf of multiple people, as things stand it will need to make multiple applications to the court. That is not efficient, and it would be better if all the claims could be made in a single application.
New clause 1 gives the Secretary of State the power to set out provisions allowing a non-profit organisation to bring a claim on behalf of multiple data subjects under article 80(1). We have taken the practical view that that will be an effective way for a non-profit group to seek a remedy in the courts on behalf of a large number of data subjects. The Bill does not give effect to article 80(2), which allows not-for-profit bodies to represent individuals without their mandate. We believe that opt-out collective proceedings should be established on the basis of clear evidence of benefit, with a careful eye on the pitfalls that have befallen so-called class-action lawsuits in other jurisdictions. The Government have, however, listened to the concerns raised and accept that further consideration should be given to the merits of implementing the provisions in article 80(2).
New clause 2 provides a statutory requirement for the Secretary of State to conduct a review of the operation of article 80(1), which will consider how it and the associated provisions in the Bill have operated in practice and assess the merits of implementing article 80(2) in the future. The review will involve consultation among relevant stakeholders, such as the Information Commissioner, businesses, privacy groups, the courts, tribunals and other Departments. The new clause requires the Secretary of State to conduct the review and present its findings to Parliament within 30 months of the Bill’s coming into force. That is necessary to provide enough time for there to be sufficient evidence to scrutinise the options provided in article 80(1) in the civil courts. Were the review period to be substantially shorter, it would increase the likelihood of there being a paucity of evidence, which would undermine the effectiveness and purpose of the review. Upon the conclusion of the review period, the Secretary of State will have the power, if warranted, to implement article 80(2), allowing non-profit organisations to exercise the rights awarded to data subjects under articles 77, 78, 79 and 82 on their behalf without first needing their authorisation to do so.
Amendments 63 to 68, 73, 74 and 115 are consequential amendments that tidy up the language of the related clause, clause 183. They provide additional information about the rights of data subjects that may be exercised by representative bodies. I commend the amendments to the Committee.
Liam Byrne
I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
Margot James
I thank right hon. and hon. Members for their contributions. We certainly agree with the need for a transparent system of rights over people’s personal data and a system of enforcement of those rights. We could not agree more with the thinking behind that, but we need to pause for thought before implementing article 80(2). The GDPR represents significant change, but we should test the effectiveness of the new enforcement scheme, including, as we have already discussed, article 80(1), before we make further changes of the type proposed this morning under amendments 154 and 155.
Amendment 154 applies article 80(2) with immediate effect and gold-plates it. We have a number of concerns with that approach. First, we are wary of the idea that data subjects should be prevented from enforcing their own data rights simply because an organisation or, in this instance, an individual they had never met before, got there first. That is not acceptable. It contradicts the theme of the Bill and the GDPR as a whole, which is to empower individuals to take control of their own data. As yet we have no evidence that that is necessary.
Liam Byrne
Let us take Uber—one of the most recent of the 200 data breaches listed on Wikipedia. In that case, 57 million records were leaked. How is one of those drivers going to take Uber to court to ensure justice?
Margot James
The GDPR places robust obligations on the data controller to notify all data subjects if there has been a breach that is likely to result in a high risk to their rights. That example is almost unprecedented and quite different—
Liam Byrne
It is not unprecedented. Look at the Wikipedia page on data breaches. There are 200 of them, including Uber, Equifax, AOL, Apple, Ashley Madison, Betfair—the list goes on and on. I want an answer to a very simple question. How is a humble Uber driver, who is busting a gut to make a living, going to find the wherewithal to hire a solicitor and take Uber to court? What is the specific answer to that question?
Margot James
If a data subject is sufficiently outraged, there is nothing to stop them contacting a group such as Which? and opting into a group action. Furthermore, a range of enforcement options are open to the ICO. It can issue enforcement notices to compel the controller to stop doing something that is in breach of people’s data rights. As I said, there is nothing to stop a data subject opting into a group action.
Liam Byrne
There is only one major precedent for the kind of scenario the Minister has sketched out today, which is Various Claimants v. Wm Morrisons Supermarket plc—a case she knows well. That case illustrates the difficulties of opt-in. It is by far the largest group of data protection claimants ever put together. Even then, the total number of people who could be assembled was 5,000 out of 100,000 people whose data rights were breached. That was incredibly difficult and took a huge amount of time. Even if the claim succeeds, the 95% of people not covered by the claim will not receive justice. I am not quite sure what new evidence the Minister is waiting for so that she has enough evidence to activate the kind of proposals we are talking about today.
Margot James
As I said, the GDPR represents significant change. We believe we should test the effectiveness of the new enforcement scheme before we make further changes of the kind the right hon. Gentleman is suggesting. The Morrisons case was effective. The collective redress mechanism—group litigation orders—was used and was effective. The Information Commission will have new powers under the Bill to force companies to take action when there has been a breach of data.
There are other problems with amendment 154. First, like the right hon. Member for Birmingham, Hodge Hill, we are concerned about children’s rights. We would be concerned if a child’s fundamental data rights were weighed up and stripped away by a court without parents or legal guardians having had the opportunity to make the decision to seek redress themselves or seek the help of a preferred non-profit organisation. Once that judgment has been finalised, there will be no recourse for the child or the parent. They will become mere observers, which is unacceptable and makes a travesty of the rights they are entitled to enforce on their own account.
Secondly, we must remember that the non-profit organisations referred to in the amendment are, by definition, active in the field of data subjects’ rights. Although many will no doubt have data subjects’ interests at heart, some may have a professional interest in achieving a different outcome—for example, chasing headlines to promote their own organisation. That is why it is essential that data subjects are capable of choosing the organisation that is right for them or deciding not to partake in a claim that an organisation has advertised. The amendment would also allow an individual to bring a collective claim on behalf of other data subjects without their consent.
Margot James
The Information Commissioner has powers to force companies to notify data subjects of any breach of data, and there is a legal requirement on companies so to do.
The amendment would allow an individual to bring a collective claim on behalf of other data subjects without their consent. We oppose it because it does not give people the protection of knowing that the entity controlling their claim is a non-profit organisation with a noble purpose in mind. I am pleased to say that, as I outlined this morning, the Government’s position was supported in the other place by the Opposition Front Benchers and the noble Baroness Kidron.
Liam Byrne
I am incredibly disappointed with the Minister’s response, and I am not quite sure I believe that she believes what she has been reading out. I hope that between now and Report, or whenever the amendment is pressed to a vote, she will have the opportunity to consult Which? and her officials. The reality is that for complex public policy decisions, whether relating to organ donation or auto-enrolment pensions, we have well-established procedures for opting out, rather than opting in. There has been strong cross-party support for that over the past seven or eight years, and it reflects a reality in new economic thinking. Behavioural economics shows that opt-out is often better than opt-in.
If the Government pursue that line of argument on Report, in the other place and through to Royal Assent, we will not permit the Minister ever again to refer to the Bill as a gold standard in data protection. It is a shoddy, tarnished bronze. She has sought to ensure that the legal playing field is tilted in the favour of large organisations and tech giants, and away from consumers and children. That will lead to a pretty poor state of affairs. We now have enough precedents to know that the regime she is proposing will not work. This is not a theoretical issue; it has already been tested in the courts. Her proposal will not fix the asymmetry that potentially leaves millions of people without justice.
The idea that the Minister can present the Morrisons case as some kind of success when 95% of the people whose data rights were breached did not receive justice because they did not opt in to the class action betrays it all. She is proposing a system of redress that is good for the few and bad for the many. If that is her politics, so be it, but she will not be able to present the Bill as the gold standard if she persists with that argument.
The Chair
As I said, we will deal with the Opposition amendments later in our proceedings.
Amendment 115 agreed to.
Schedule 6, as amended, agreed to.
Clauses 23 and 24 ordered to stand part of the Bill.
Clause 25
Manual unstructured data used in longstanding historical research
Amendment made: 17, in clause 25, page 15, line 40, leave out “individual” and insert “data subject”.—(Margot James.)
Clause 25 makes provision about the processing of manual unstructured data used in longstanding historical research. This amendment aligns Clause 25(1)(b)(i) with similar provision in Clause 19(2).
Clause 25, as amended, ordered to stand part of the Bill.
Clause 26
National security and defence exemption
Question proposed, that the clause stand part of the Bill.
The Parliamentary Under-Secretary of State for the Home Department (Victoria Atkins)
It is a pleasure to serve under your chairmanship, Mr Streeter. Clause 26 creates an exemption for certain provisions in the Bill only if that exemption is required for the purpose of safeguarding national security or for defence purposes. Where processing does not meet these tests, the exemption cannot apply. It is possible to exempt from most but not all the data protection principles the rights of data subjects, certain obligations on data controllers and processors, and various enforcement provisions, where required to safeguard national security or for defence purposes. In relation to national security, the exemption mirrors the existing national security exemption provided for in section 28 of the 1998 Act. The statutory framework has long recognised that the proportionate exemptions from the data protection principles and the rights of data subjects are necessary to protect national security. The Bill does not alter that position.
The exemption for defence purposes is intended to ensure the continued protection, security and capability of our armed forces and of the civilian staff who support them—not just their combat effectiveness, to use the outdated language of the 1998 Act. In drafting this legislation, we concluded that this existing exemption was too narrow and no longer adequately captured the wide range of vital activities that are undertaken by the Ministry of Defence and its partners. We have seen that all too obviously in the last two weeks.
Victoria Atkins
If the right hon. Gentleman is going to disagree with me that combat effectiveness would be a very narrow term to describe the events in Salisbury, of course I will give way.
Liam Byrne
I actually wanted to ask about interpreters who support our armed forces. There is cross-party consensus that sometimes it is important to ensure that we grant leave to remain in this country to those very brave civilians who have supported our armed forces abroad as interpreters. Sometimes, those claims have been contested by the Ministry of Defence. Is the Minister confident and satisfied that the Ministry of Defence would not be able to rely on this exemption to keep information back from civilian staff employed as interpreters in support of our armed forces abroad when they seek leave to remain in this country?
Victoria Atkins
I cannot possibly be drawn on individual applications for asylum. It would be wholly improper for me to make a sweeping generalisation on cases that are taken on a case-by-case basis. I refer back to the narrow definition that was in the 1998 Act and suggest that our enlarging the narrow definition of combat effectiveness would mean including the civilian staff who support our brave troops.
The term “defence purposes” is intended to be limited in both application and scope, and will not encompass all processing activities conducted by the Ministry of Defence. Only where a specific right or obligation is found to incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. The Ministry of Defence will continue to process personal information relating to both military and civilian personnel in a secure and appropriate way, employing relevant safeguards and security in accordance with the principles of the applied GDPR. It is anticipated that standard human resources processing functions such as the recording of leave and the management of pay and pension information will not be covered by the exemption.
Liam Byrne
I am sorry to press the Minister on this point, and she may want to write to me as a follow-up, but I think Members on both sides of the House have a genuine interest in ensuring that interpreters who have supported our troops abroad are able to access important information, such as the terms of their service and the record of their employment, when making legitimate applications for leave to remain in this country—not asylum—or sometimes discretionary leave.
Victoria Atkins
I am very happy to write to the right hon. Gentleman about that. The exemption does not cover all processing of personal data by the Ministry of Defence, but I am happy to write to him on that subject.
It may assist the Committee if I give a few examples of processing activities that might be considered to fall into the definition of defence purposes requiring the protection of the exemption. Such processing could include the collation of personal data to assist in assessing the capability and effectiveness of armed forces personnel, including the performance of troops; the collection and storage of information, including biometric data necessary to maintain the security of defence sites, supplies and services; and the sharing of data with coalition partners to support them in maintaining their security capability and the effectiveness of their armed forces. That is not an exhaustive list. The application of the exemption should be considered only in specific cases where the fulfilment of a specific data protection right or obligation is found to put at risk the security capability or effectiveness of UK defence activities.
The hon. Member for Sheffield, Heeley asked for a definition of national security. It has been the policy of successive Governments not to define national security in statute. Threats to national security are constantly evolving and difficult to predict, and it is vital that legislation does not constrain the security and intelligence agencies’ ability to protect the UK from new and emerging threats. For example, only a few years ago it would have been very difficult to predict the nature or scale of the threat to our national security from cyber-attacks.
Clause 26 does not provide for a blanket exemption. It can be applied only when it is required to safeguard national security or for defence purposes.
Data Protection Bill [ Lords ] (First sitting)
Liam Byrne Excerpts(6 years, 2 months ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
It is a pleasure to serve under your chairmanship, Mr Hanson. Clause 1 is a signposting overview of the Bill. It is not intended to have any effect other than to help us to navigate such a large Bill; I trust that hon. Members agree that it achieves its purpose.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
It is a pleasure to serve under your chairmanship, Mr Hanson. Looking around the Committee Room, I see that you have an extremely unruly bunch of hon. Members to police in the next couple of weeks, but I know that you will do so with skill and care.
The Opposition do not wish to object to clause 1, which is basically the foundation stone of the Bill. We wish only to underline the Bill’s peculiarity in that it seeks to incorporate a piece of European legislation into British law without actually reproducing the legislation in question. Throughout the debate, we will hear references to the general data protection regulation—GDPR—a text that appears nowhere in the Bill. I hope that over the coming weeks the Committee will therefore focus on a series of principles for data protection. The Opposition will move amendments to enshrine those principles more firmly into our law. Beyond that, I have no objections to this foundation stone of the Bill.
Question put and agreed to.
Clause 1 accordingly agreed to.
Clause 2
Protection of personal data
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss new clause 12— Right to protection of personal data—
“(1) A person (“P”) has the right to protection of personal data concerning him or her.
(2) Personal data must be processed fairly for specified purposes as set out in the GDPR, and in accordance with the provisions, exceptions and derogations of this Act; and on the basis of the consent of P or some other legitimate basis.
(3) The Information Commissioner shall be responsible for ensuring compliance with the rights contained within this section.”
This new clause would incorporate Article 8 of the Charter of Fundamental Rights of the European Union (Protection of personal data) into the Bill.
Liam Byrne
New clause 12, which I tabled with other Opposition members of the Committee, seeks to achieve something very simple: to incorporate article 8 of the EU charter of fundamental rights into British law. It is beyond dispute that both sides of the House share the objective of ensuring friction-free trade with our neighbour, the European Union, over the years to come. The role of this Bill in enabling that trade is of fundamental significance. Something like 70% of our exports of goods and services rely on the smooth transfer of data, and we know that the European data economy will be worth something like £643 billion by 2020. Despite all the efforts of the Secretary of State for International Trade, the reality is that the EU data economy, sitting next door to us, remains one of the most important, if not the most important, global markets from which we should aspire to profit over the years to come.
One of the great risks of Brexit is that technology firms will relocate, which is already beginning to take place. Many such firms will choose to headquarter in the Republic of Ireland. It is therefore in everybody’s interest that our trade and data protection regimes allow the smooth export of digitally enabled services. I hope that is not a contentious point.
In new clause 12, we propose to incorporate into British law what is, in effect, at the cutting edge of global data protection measures. It is not a trivial or frivolous new clause. Her Majesty’s Opposition did not make it up; it was crafted with techUK—an organisation that represents 950 companies, which employ something like 800,000 people and make up about half of the UK tech industry. When techUK proposes a fundamental measure of reform, it is important that we listen.
When we leave the European Union, we will need to agree with it an adequacy agreement by which it recognises the data protection regime in this country as adequate and therefore indicates that it is permissible for us to share data across the continental borders. The question, therefore, is how do we put that adequacy agreement beyond any doubt, not just for the immediate years after Brexit but for the decades to come? We know that trade will be fundamental to the health and wellbeing of our economy over many, many years. Let us put the data sharing regime between us and the European Union beyond doubt, not just for the short term but for the long term. Failure to get an adequacy agreement could arguably be fatal to the British economy. We simply cannot consider a shred of risk to that adequacy agreement. I hope that, having looked at this amendment and appreciated some of the refinements we made in the other place, the Government will decide that they will not put dogma in the way of agreeing to it. It is too important to leave to doubt.
In the debate on clause 1, I said that this principle was all the more important, because right hon. and hon. Members are being asked to agree to a Bill that does not feature the GDPR, which it seeks to incorporate into British law. Hon. Members can look it up if they like, but the Government have not set it out in a schedule or anywhere else. The fact that the Bill does not include the GDPR makes it all the more important that the House agrees a series of principles that are good now and for the future. Principles are paramount, and in this Bill the principle of privacy is first among equals.
The question of privacy is not disputed. It is a principle that has been agreed by our own Supreme Court in a recent case that was brought by the right hon. Member for Haltemprice and Howden (Mr Davis), who is now the Secretary of State for Brexit. Together with my hon. Friend the Member for West Bromwich East (Tom Watson), he brought the case of David Davis and others v. Secretary of State for the Home Department to the High Court, which confirmed the right of privacy in this country. This is not something that is necessarily party political; this is something on which there is strong cross-party consensus. These principles will become all the more important as the EU (Withdrawal) Bill is given effect because the Bill has thousands of ideas and proposals but kills off only one piece of legislation: the EU charter of fundamental rights.
A British tradition helped shape the EU charter of fundamental rights. We are the country of the Magna Carta and we are the country that helped craft the European convention on human rights after world war two to ensure there was never a return to the horrors of the 1930s and 1940s. Our lawyers played a fundamental role in shaping the EU charter of fundamental rights, but now, in the EU (Withdrawal) Bill, the Government decide to kill off the whole thing.
In killing off the whole thing, and in particular article 8—the fundamental foundational right to privacy—we create a new risk to keeping in lockstep the data protection regime in this country and the data protection regime in the European Union. If we bring that into doubt, we jeopardise an adequacy agreement for the future. I fear that, by setting their face against this new clause 12, the Government are, in some way and for some reason, trying to preserve the illusion of harmony between our regime and the regime of the European Union in order to camouflage the flexibility that might allow it to depart from regulatory harmonisation in the years to come. To coin a phrase, they are trying to have their cake and eat it.
That is not a reasonable position. The Minister will reassure us that that is not the intention of Her Majesty’s Government today. No doubt, she will tell us there is no will to try and win a race to the bottom in the data protection regime and many of us may be sympathetic to her position, as she is quite famously a reasonable Minister. However, the Tory party is not a stable place and the worry on all parts is not only how long the Minister will enjoy her office but what will come after her and what Government will come after this Government. There will be Governments of many colours over the course of the next 70 or 80 years and in this Committee we do not want to risk leaving unfettered a future Government who may take a less reasonable position than the famously reasonable Minister. That is why we want to move the incorporation of article 8 into British law.
We currently have a Bill without a data protection instrument and without clear data protection principles. That is a high-risk situation when, today, we have a low-risk regime. Nobody is particularly troubled by the current privacy regimes; we have been operating under article 8 of the EU charter of fundamental rights for some time and, certainly, no arguments I have heard suggest that it is troublesome in any way. What is wrong with continuing with it?
When we first crafted this new clause, there were some issues to which we were alert. A number of noble peers expressed a concern that we were creating too absolutist a right, a right without balancing test and provisions. That has been corrected in the new clause presented to this Committee today. We would therefore like to press it to a vote, as we want to ensure this fundamental right is part and parcel of British law for the years to come. It de-risks an adequacy agreement for data protection for the future. We have enjoyed the provisions of article 8 for some years, and there is no reason to suggest that they may be more troublesome in the years ahead. We do not think the Government want to depart from a harmonisation of regulations in this area over the years to come so the flexibility that this Bill currently offers will not be taken up. Let us put the matter beyond dispute and beyond doubt and let us incorporate article 8 into the Bill.
The Chair
I remind Members—particularly new Members—that new clause 12 is being debated now, but will not be voted on, if Members wish to have a vote, until we have completed consideration of the Bill. Today’s debate is on clause 2 and new clause 12, but the vote on the new clause will come later.
Margot James
I thank speakers for their thoughtful contributions. I share many of their concerns, as do the Government, particularly with regard to adequacy, which I will talk about in more detail. I think we are all agreed that after Britain leaves the European Union we must be able to negotiate an adequacy agreement for the free flow of data between us and the EU. That is absolutely essential.
First, the GDPR implements the right to data protection and more. It is limited in scope, but the Bill also implements data protection rights on four areas beyond GDPR. It applies GDPR standards to personal data beyond EU competence, such as personal data processed for consular purposes or national security. Secondly, the Bill applies the standards to non-computerised and unstructured records held by public authorities that the GDPR ignores. Thirdly, the Bill regulates data processed for law enforcement purposes. Fourthly, it covers data processed by the intelligence services.
There is no doubt in our minds that we have fully implemented the right to data protection in our law and gone further. Clause 2 is designed to provide additional reassurance. Not only will that be clear in the substance of the legislation, but it is on the face of the Bill. The Bill exists to protect individuals with regard to the processing of all personal data. I think this is common ground. We share Opposition Members’ concern for the protection of personal data. It must be processed lawfully, individuals have rights, and the Information Commissioner will enforce them.
New clause 12 creates a new and free-standing right, which is the source of our concern. Subsection (1) is not framed in the context of the Bill. It is a wider right, not constrained by the context of EU law. However, the main problem is that it is not necessary. It is not that we disagree with the thinking behind it, but it is not necessary and might have unforeseen consequences, which I will come to.
Article 6 of the treaty on European Union makes it clear that due regard must be had to the explanations of the charter when interpreting and applying the European charter of fundamental rights. The explanations to article 8 of the charter confirm that the right to data protection is based on the right to respect for private life in article 8 of the ECHR. The European Court of Human Rights has confirmed that article 8 of the ECHR encompasses personal data protection. The Government have absolutely no plans to withdraw from the European Court of Human Rights.
The new right in new clause 12 would create confusion if it had to be interpreted by a court. For rights set out in the Human Rights Act, there is a framework within which to operate. The Human Rights Act sets out the effect of a finding incompatible with rights. However, new clause 12 says nothing about the consequences of potential incompatibility with this new right to the protection of personal data.
Liam Byrne
The Minister is rehearsing the argument that was made in the other place before the requirements that we put into our amendments. She can see as well as me that the new clause was rewritten so that, under subsection (2), it is to be interpreted only
“in accordance with the provisions, exceptions and derogations of this Act;”.
So the idea that we are creating some kind of new and unfettered right is nonsense. We had this debate in the other place. We made refinements and they have been presented in the new clause.
If there is no dispute about the importance of adequacy and of putting it beyond risk, what is the problem with putting the question beyond doubt and dispute and incorporating the same foundation that is enjoyed in the European Union into British law?
Margot James
New clause 12 takes article 8 of the charter outside that context and creates a free-standing right. That is the potential for confusion. New clause 12 says nothing about the consequences of incompatibility with the new right to the protection of personal data. That would create, legal, regulatory and economic uncertainty. We are endeavouring not just to ensure adequacy after we leave the European Union, but to go beyond the mere requirement for adequacy, as the Prime Minister set out in her speech almost two weeks ago.
Further, how would the courts approach other legislation in the light of this new right? One has to ask how they would approach other rights. Could this new right be balanced against other rights?
Liam Byrne
It is not a new right; it is a roll-over of an existing right. I have not heard of a case prosecuted in British courts where there was a problem with balancing the right that we currently enjoy with anything else. We simply seek to roll this right over into the future.
Margot James
That brings me on to my other point: not only does this roll-over, as the right hon. Gentleman puts it, threaten to create confusion and undermine other rights, but it is unnecessary. The charter of fundamental rights merely catalogues rights that already exist in EU law; it is not the source of those rights. The rights, including to data protection, which is, importantly, what we are here to debate, arise from treaties, EU legislation and case law. They do not arise from the European charter of fundamental rights, so we argue that the new clause is completely unnecessary.
Margot James
The European Union (Withdrawal) Bill fully protects the rights to data protection in our law. As I said earlier, we are seeking not only adequacy after Brexit, but a continuing role in conjunction with the bodies in Europe that govern the GDPR, with the idea that we continue to contribute our expertise and benefit from theirs.
Liam Byrne
I am afraid we have heard a very weak argument against new clause 12. The Minister sought to prosecute two lines of argument: first, that new clause 12 risks confusion in the courts; and, secondly, that it is not needed. Let me take each in turn.
First, there can be no risk of confusion because this is not a new right. It is a right we already enjoy today, and our courts are well practised in balancing it with the other rights we enjoy. We are simply seeking to roll over the status quo into the future to put beyond doubt an adequacy agreement not just in the immediate years after we leave the European Union but in the decades that will follow.
Secondly, the Minister sought to persuade us that the new clause was not needed, and she had a couple of different lines of attack. First, she said that the source of our new protections would be the incorporation of EU case law and legislation as enshrined by the European Union (Withdrawal) Bill. Of course, that is simply not applicable to this case, because the one significant part of European legislation that the withdrawal Bill explicitly does not incorporate is the European charter of fundamental rights. The Minister slightly gave the game away when she read out the line in her briefing note that said that the rights we currently have in EU law would be enshrined and protected “so far as it is possible to do so.” That is exactly the kind of risk we are seeking to guard against.
As noble peers argued in the other place, the challenge with incorporating the GDPR into British law is that this is a piece of regulation and legislation that reflects the world of technology as it is today. It is not the first bit of data protection legislation and it will not be the last. At some point in the years to come, there will be a successor piece of legislation to this Bill and the courts’ challenge will be to make judgments that interpret an increasingly outmoded and outdated piece of legislation. We have to ensure that judgments made in the British courts and in the European courts remain in lockstep. If we lose that lockstep, we will jeopardise the future of an adequacy agreement. That will be bad for Britain, bad for British businesses and bad for technology jobs in all our constituencies.
The challenge we have with regulating in this particular field is that sometimes we have to be anticipatory in the way we structure regulations. Anyone who has spent any time with the British FinTech industry, which Ministers are keen to try and enhance, grow and develop for the years to come, will know that FinTech providers need to be able to test and reform bits of regulation in conjunction not only with the Information Commissioner but with other regulators such as the Financial Conduct Authority. For those regulators to be able to guarantee a degree of regulatory certainty, sometimes they will need to look beyond the letter of a particular piece of legislation, such as the Data Protection Bill when it becomes an Act, and reflect on the spirit of that legislation. The spirit is captured best by fundamental rights. The challenge we have is in the thousands of decisions that our regulators must take in the future. How do we put beyond doubt or dispute the preservation of regulatory lockstep with our single most important market next door?
The Uruguayan defence offered by the Minister will reassure few people. We should not be aspiring to the Uruguayan regime; we should be aspiring to something much deeper, more substantive and more harmonious. The Minister’s proposal will create a field day for lawyers. We all like lawyers; some of our Committee members are former lawyers—recovering lawyers in some cases. Lawyers should enjoy a profitable and successful future, but we in this House do not necessarily need to maximise their profit-making possibilities in the future. However, that is exactly what the Minister is doing by creating a pot pourri of legislation, which lawyers and judges will have to pick their way through. It is much simpler, much lower-risk, much safer and better for economic growth if we put beyond doubt, dispute and question the harmonisation of our data protection regime with our single most important market. That is why we need to incorporate article 8.
Darren Jones
I have a copy of the general data protection regulation here. Recital 1 on the first page states:
“The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union—”.
Is it not the case, to use some imagery here, that at the moment the GDPR is built on a foundation as on page one of this fundamental right in the same way as a house is built on strong foundations? Are we now not seeking to build the same house but without the foundations? Does this risk us sinking our decision on adequacy?
Liam Byrne
My hon. Friend is right. He speaks with tremendous knowledge on this particular subject. There is a real risk that one of our most important industries will have its foundations wrecked by the inadequacies of this piece of legislation. There is no risk of confusion, there is no creation of a new and unchecked, unfettered right. We can draw no comfort from the EU (Withdrawal) Bill. There is a great risk of regulatory confusion and divergence over the years to come. I simply cannot understand why the Government would seek to put dogma and not the future protection of the British technology industry first.
This is not a trivial or frivolous issue; it has been put forward by the industry association representing half of technology jobs in this country. I hope that the Committee is persuaded by these arguments. We will seek to prosecute these arguments in a vote, at your discretion, Mr Hanson, but I hope that before we get to that point, the Government will see sense and accept the amendment.
The Chair
As I said, the vote on new clause 12, should there be one, will take place at a later date.
Question put and agreed to.
Clause 2 accordingly ordered to stand part of the Bill.
Clause 3
Terms relating to the processing of personal data
Margot James
Clause 7 defines the meaning of “public authority” for the purposes of the GDPR. Generally speaking, “public authority” will have the same meaning as the definition used in the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002. Those Acts list a wide range of public authorities, including Departments, local authorities and NHS bodies. As the new legislation beds in, the list of authorities imported from those Acts may need to be adapted to function properly in a data protection setting rather than a freedom of information setting. Clause 7(1) therefore allows the Secretary of State to specify in regulations that additional bodies are public authorities for the purposes of data protection legislation. Conversely, subsection (3) allows the Secretary of State to specify that certain bodies are not to be treated as public authorities, even if they are defined as such for the purposes of freedom of information legislation.
Amendments 7 and 8 clarify that the Secretary of State may describe bodies that are or are not public authorities in addition to specifying them. They are technical amendments designed to improve the terminology used in relation to the Secretary of State’s regulation-making powers. Amendments 18 and 19 make corresponding provisions in relation to part 3 of the Bill.
Amendment 62 is designed to ensure that regulations made under clause 7 will not be considered as hybrid instruments. Regulations made under the clause are already subject to the affirmative resolution procedure, and the general duty to consult before making regulations, which is set out in clause 179, also applies. In this setting, the hybrid procedure would add nothing but bureaucracy.
Liam Byrne
The amendments look like tidying-up amendments, but it would help if the Minister put on the record the extent to which they will allow the Bill to bite effectively on the nation’s schools. Obviously, schools collect a great deal of data. They often hold not only exam data but data relating to eligibility for free school meals, and most schools operate systems such as ParentPay, which means that they capture children’s biometrics. Anything to do with the protection of children’s data has to be treated incredibly seriously. The school system in this country has been balkanised—often, academies are set up as private sector entities in complex chains and have problematic governance arrangements—so I think we would all benefit from the Minister saying a few words about the Bill’s bite on schools, academies and colleges. Will she also say a little more about her plans to ensure that there are statutory codes of practice to which everyone who provides education services must adhere?
Margot James
I thank the right hon. Gentleman for his comments. Obviously, we share his concern about the protection of children. He cites important and highly sensitive personal data such as biometrics. Schools, like all bodies, must have a legal basis—the public interest or the normal course of their business—for processing personal data.
The right hon. Gentleman raises safeguarding. Later in our deliberations, my hon. Friend the Under-Secretary of State for the Home Department will introduce Government amendments to strengthen the safeguarding aspects of the processing of personal data. Schools are public authorities, and GDPR protections intended for authorities will apply, as I said. Schedule 3 provides further and specific protection on the points that he raises.
Liam Byrne
Will the Minister set on the record explicitly the fact that academies are covered in the same way as schools? An academy may be set up by a private sector organisation, set up as a charitable body, or set up in a way that is outwith the formal education system. Ofsted has raised concerns about unregulated schools, for example. Can she confirm whether organisations that provide education services—whether they are academies, charities or local education authority schools—are governed by the codes? Crucially, can she confirm that she will publish the code of practice?
Margot James
I certainly can confirm that the schools that the right hon. Gentleman has cited—academies run by private sector organisations and/or charities—are public authorities for the purposes of the Bill, and will be subject to the same protections.
Question put and agreed to.
Amendment made: 8, in clause 7, page 5, line 13, after “specified” insert “or described”.—(Margot James.)
See the explanatory statement for Amendment 7.
Clause 7, as amended, ordered to stand part of the Bill.
Clause 8
Lawfulness of processing: public interest etc
Daniel Zeichner
It is a pleasure to serve under your chairmanship, Mr Hanson. I shall begin by declaring an interest: I chair the all-party parliamentary group on data analytics, the secretariat to which is provided by Policy Connect. In that capacity, I have had the pleasure of having many discussions about GDPR with experts over the past couple of years. I reflect on what a very good process it is that British parliamentarians in the European Parliament are able to intervene on such matters at early stages, to make sure that when the legislation finally comes to us it already has our slant on it. That may not be possible in future when we come to discuss such legislation.
I represent a university city, so research is a key part of what we do. It is on that basis that I tabled the amendments, and I am grateful to the Wellcome Trust and the Sanger Institute, which have given me advice on how the amendments would help them by providing certainty for the work that they do. The purpose of amendment 141 is to ensure that university researchers and public bodies with a research function are able to use what is called the “task in the public interest” lawful basis for processing personal data, where consent is not a viable lawful basis. I apologise for going into some detail, but it is important for universities and researchers that there is clarity.
As the Bill is drafted, clause 8 provides a definition of lawfulness of processing personal data under GDPR article 6(1)(e). Subsections (a) to (d) of clause 8 set out a narrow list of activities that could be included in the scope of public interest. I am told that that list is imported from schedule 2(5) of the Data Protection Act 1998, but I am also told that the drafters have omitted a version of the final and most general sub-paragraph from that list, which reads:
“for the exercise of any other functions of a public nature exercised in the public interest by any person.”
It is speculated that that may have been taken out of the list to tighten up, and to avoid a tautology in defining, “public interest”, but the worry is that taking it out has made the clause too restrictive. The explanatory notes indicate that the list in clause 8—that is, subsections (a) to (d)—is not intended to be exhaustive, but the Wellcome Trust and the Sanger Institute worry that it has narrowed the public interest terminology to a very narrow concept, which will be confined to public and judicial administration.
There was a very lengthy and very good debate in the other place on this matter. One of our universities’ main functions is to undertake research that will often involve processing personal data. In some cases, GDPR compliant consent, which may seem the obvious way of doing it, will not be the most appropriate lawful basis on which to process that data. It is therefore really important that an article 6 lawful basis for processing is available to university researchers with certainty and clarity.
The Government have included reference to medical research purposes in the explanatory notes, but the worry is that that does not necessarily have weight in law and the reference excludes many other types of research that are rightly conducted by universities. This is not a satisfactory resolution to the problems that are faced.
The amendment tries to enable research functions to be conducted by public bodies such as universities without doing what the Government fear, which is to broaden the definition of “public interest” too far. The wording retains the structure of the DPA list, from which the current clauses were imported, but it narrows it down in two ways. It specifies the purpose of processing, that is, research functions, which must be the reason for the processing and specifies who is doing the processing—the basis of it only being available to public bodies, as defined in the previous clause.
We are aware that the Government are worried about adding further subsections to the list. I think they said that it could open the floodgates in some way. However, I am told that there is not really any evidence to suggest that the current wording of paragraph 5 of schedule 2 of the Data Protection Act, which has a very broad notion of public interest, has in any way “opened the floodgates”. To give some sense of the concerns that have arisen, the processes by which university researchers seek permission to do things are quite complicated. Some of the bodies have already issued guidance. I am told that the Health Research Authority issued guidance on GDPR before Christmas. It advised that a clause on using legitimate interests should be included in the Bill.
There is confusion in the research sector, and there is a wider worry that if this is not clear, it is open to legal challenge. While some institutions will be able to take that risk, the worry is that smaller research bodies would conclude that, given the lack of clarity, it would not be worth taking that risk. I hope that the Government will think hard about the suggestion. It comes from the research institutions themselves and would give clarity and reassurance. I hope that the Minister will accept the amendment.
Liam Byrne
I want to say a few words in support of my hon. Friend and these important amendments. I think there is an acknowledgement on both sides of the Committee that if we are to prosper in the world that is coming, we are going to need to increase the amount of money that we spend on research and development and make sure that a research-driven economy reaches every corner of the country.
The world of innovation and research is changing very quickly. I think it is next year that China becomes the world’s largest science spender for the first time in several centuries. If we are to compete in this new world, we need to invest more in our R&D base. The Government have made some helpful commitments in this area. Their proposals are not quite as ambitious as the Labour amendments, but none the less all progress is welcome.
I hope that the Minister will reflect on the reality—the way in which research is conducted in our country is changing. In the past, I have called that a shift from the cathedral to the campus. Once upon a time, big firms put a lot of people in a large building and prayed for the best. Now, they are building business parks and creating ecosystems of innovation where they may have a shared research and development facility, otherwise known as a university. There may be big international companies with global reach organised around them, but there are also scores of much smaller firms. They may be as small as a couple of post-docs in a shared lab. If we look at facilities such as BT at Dashwood Park, the Crick Institute or GSK in Stevenage, we see big global companies with hundreds of smaller companies around them which are undertaking research with much greater speed and much lower risk, but with an impact that could change the world.
We cannot jeopardise the conduct of that research. My hon. Friend the Member for Cambridge is right to point out that where there is doubt about the law, or the powers and freedoms of research firms, there is a risk that such firms simply will not undertake such work in the UK, and instead will seek relationships either with global companies or, increasingly, with universities that have R&D facilities elsewhere. We want to create the world’s best place to undertake new science, and that means having a research regime that is the best in the world. We therefore need a data protection regime that helps and does not hinder, which is why the Government should accept these carefully crafted amendments.
Margot James
I beg to move amendment 9, in clause 8, page 5, line 29, at end insert—
“( ) an activity that supports or promotes democratic engagement.”
This amendment adds a reference to processing of personal data that is necessary for activities that support or promote democratic engagement to Clause 8 (lawfulness of processing: public interest etc).
Since the Bill’s introduction, it has been brought to our attention by a range of stakeholders from all sides of the political divide that there is concern about how processing for the purpose of democratic engagement should be treated for the purposes of the GDPR. As my noble Friend Lord Ashton set out in the other place, the Government believe that there is a strong public interest in political parties and elected representatives and officials being able to engage with the public both inside and outside elections, which may sometimes include the processing of personal data.
Having considered the matter further since the debates in the other place, the Government have concluded that it would be prudent to include a provision in the Bill to provide greater clarity to those operating in the area of democratic engagement. Helpfully, clause 8 already provides high-level examples of processing activities that the Government consider could be undertaken on grounds of public interest if the data controller can demonstrate that the processing is necessary for the purposes of the processing activity. As a consequence of the importance that the Government attach to the matter, amendment 9 adds to that list
“an activity that supports or promotes democratic engagement.”
That term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of their democratic rights. We think that that could include communicating with electors, campaigning activities, supporting candidates and elected representatives, casework, surveys and opinion gathering and fundraising to support any of those activities. Any processing of personal data in connection with those activities would have to be necessary for their purpose and have a legal basis. We will ensure that the explanatory notes to the Bill include such examples, to assist the interpretation of what this provision might mean in practice.
The amendment does not seek to create a partisan advantage for any one side or to create new exemptions from the data protection legislation. It is intended to provide greater clarity. It is also independent of any particular technology, given that in a short time we have moved from physical post to email, Twitter, text messages, WhatsApp, Facebook and so forth.
The Government are always open to suggestions of what else could be done to ensure legal and operational clarity for political parties and elected representatives. Further work might be needed to ensure that their current activities have the legal basis required to rely on the public interest condition. The Government will shortly engage with political parties via the parliamentary parties panel to discuss the matter further and in more detail.
Liam Byrne
I was surprised and not a little troubled that the Minister did not include the opportunity of creating Member-specific apps in her list—especially those which suck out the pictures from someone’s phone without their permission. Presumably that was not included in her list because that is already illegal.
I am grateful to the Minister for tabling the amendment and for her earlier correspondence with my noble Friend Lord Kennedy. She undertook to reflect on that correspondence and bring forward amendments. She helpfully set out a list of some of the activities that may be undertaken by a political party that fall within the ambit of the amendment. She gave a pretty comprehensive list, but will she put beyond doubt whether canvassing and collecting canvass returns were in her mind when she tabled the amendment and are therefore covered by the amendment? That would be extremely helpful.
The amendment is well intentioned. The health of our democracy is important to all parties. We look forward to the conversations that she will broker through the parliamentary parties panel.
Liam Byrne
The clause is an important topic of debate because it enshrines the Government’s derogation from European frameworks in law and sets the minimum age of consent for data processing at 13 rather than 16.
That derogation was invented before social media companies arrived at their current strength and delivered the very wide and sophisticated range of tools that help ensure that children become almost addicted to social media devices. In the debate on this topic over the last two or three months there have been fresh revelations from leaders of social media firms that they forbid their children to engage in the apps that their companies deliver. We have had revelations from engineers who have worked at companies such as Facebook, Twitter and Instagram that a great deal of thought goes into how they create devices and forms of interaction that encourage that basic addiction to their apps.
We are at the beginning of what I hope is a period of re-regulation and better regulation of these firms, so that we can do away with many of the risks that affect our children. In a way, I was encouraged to see the Secretary of State’s interview with The Times on Saturday, in which he said very clearly that he would like to see better regulation of social media firms in this country before his own children are tempted to engage in this exciting online world. Many of us have children who are already engaged in this and, as a parent, I have real concerns about the freedom with which social media companies can develop and deliver these techniques, as well as their freedom to take a rather relaxed view of taking down often unfortunate and extremist content. I know that we will have this debate later, and we have tabled amendments to encourage the Government to set a deadline for reforming the electronic commerce directive.
It is important to draw a little more out of the Government about how they see the safeguards coming into place around clause 9. We have not sought to challenge the derogation the Government seek to enshrine in the Bill, but we ensured widespread support for Baroness Kidron’s amendment on the creation of an age-appropriate code. However, rather than simply wave clause 9 through, it is incumbent on the Minister to say a little about how she will ensure that there are adequate safeguards in place to protect our children from the very threats the Secretary of State lit up in lights on Saturday.
Margot James
I support the general tone of the right hon. Gentleman’s comments. I too was pleased to see the interview with the Secretary of State, his focus on the addictive nature of some of these apps and the idea that there could be within the technology a means of limiting the time children spend on them, which parents could click on. The Information Commissioner’s Office will publish guidance shortly on how clause 9 will work and what those safeguards will be. She will take into consideration an age-appropriate design, as suggested by Baroness Kidron.
Overall, where online services referred to in the Bill as “information society services” choose to rely on consent as the basis for their processing, article 8 of the GDPR sets the age below which a website must obtain the parents’ and not the child’s consent. Most websites will be captured by this additional safeguard, ranging from online banking to search engines to social media, with social media probably being the most relevant to the age group in question.
The GDPR gives member states the flexibility to set this age within a prescribed range of between 13 and 16. The Bill sets it at 13, with an exception for preventive and counselling services, for which the test is based purely on the child’s capacity to understand what they are being asked to consent to. The Government are satisfied that the Information Commissioner’s Office has adequate enforcement powers, including large fines for any offences committed in this area.
Liam Byrne
We support these amendments very strongly, and if possible we would like to test the Committee’s will on this. The Bill has a succession of Henry VIII powers at a number of different clauses, which in effect give the Secretary of State the power to vary and amend regulations that are incredibly important. We cannot detach this debate from the earlier debate on the incorporation of article 8. We now have a Bill that is pretty weak on the fundamental principles of law that it seeks to enshrine; the Government want to set their face against incorporating some protections that we have in the European charter of fundamental rights. Therefore, the idea that we leave out some fundamental protections of rights, but then hand over to the Minister unfettered power to make regulations as he or she sees fit, does not seem to be in Parliament’s best interest. We think that the Government need to think again.
The powers in this particular clause create the possibility that exemptions to data protection rights, which have not been considered or debated in Parliament, go through effectively at the whim of the Minister. Those powers are enshrined in clause 10, and in clauses 35 and 86; we will come on to those debates, but the powers that clause 10 proposes to grant the Minister are in effect unilaterally to vary the conditions and safeguards governing the general processing of sensitive personal data—the general data set out in schedule 1—and then to add new conditions to schedules 1, 8 and 10.
That means that we would basically give the Secretary of State the power to expand the permissible reasons to allow processing of sensitive personal data, both generally and particularly for law enforcement and intelligence agencies. That is something that has been considered extensively in the other place. The House of Lords Constitution Committee said:
“The Government’s desire to future-proof legislation…must be balanced against the need for Parliament to scrutinise and, where necessary, constrain executive power.”
The Delegated Powers and Regulatory Reform Committee said that
“it is not good enough for Government to say that they need ‘flexibility’ to pass laws by secondary instead of primary legislation without explaining in detail why”.
The Ministers slightly let the cat out of the bag when Baroness Chisholm spoke up for the Government and said that if they were to accept the Committee’s recommendations in full that would
“leave the Government unable to accommodate developments in data processing and the changing requirements of certain sectors”—[Official Report, House of Lords, 11 December 2017; Vol. 787, c. 1464.]
That includes, for example, the insurance sector. That is patently nonsense. It would not constrain the Government’s ability to introduce wise regulations in this place; it would simply constrain the Government’s ability to do that unilaterally without effective recourse to Parliament. We are seeking a very clear Government explanation as to why the Secretary of State, not Parliament, should be empowered to alter the data protection regime to keep it up to date, and that explanation needs to be all the more robust following the remarks that the Minister has made about her attitude towards incorporating the fundamental right of privacy in British law.
We think that the amendments would be sensible constraints on Henry VIII powers. There is wide consensus across both Houses that they are necessary. They will not damage or diminish the Secretary of State’s ability to keep regulation up to date. Many of us have been in this place long enough to know that it is perfectly within the Executive’s power to keep regulatory reform on track if the political will is there. We are asking for a defence of Parliament’s right to oversee, scrutinise and, where necessary, constrain the powers of the Secretary of State to regulate in this field.
Margot James
Following recommendations by the Delegated Powers and Regulatory Reform Committee, we have considered carefully the use of the Bill’s order-making powers and amended the Bill in the House of Lords to provide additional safeguards for the exercise of those powers, but Members of the Lords on all sides of the House agreed that it was essential to retain the order-making powers in the Bill as amended.
I will explain how the powers will be used in practice. Article 9 of the GDPR prohibits the processing of special categories of personal data unless one of the exemptions in paragraph 2 of article 9 applies. The exemptions include, for example, the situation where processing is necessary for reasons of substantial public interest. Schedule 1 to the Bill provides a series of processing conditions for special categories of data under article 9 and criminal convictions data under article 10. Most of those processing conditions have been imported from the Data Protection Act 1998 and statutory instruments made under that Act, but some of them are new—for example, the conditions on anti-doping in sport or processing for insurance purposes. They have been added to reflect the way in which the use of data has changed over the past 20 years.
Amendment 129 would remove the ability to amend schedule 1 via secondary legislation. That would be particularly damaging because it would mean that primary legislation might be needed every time the need for a new processing activity involving special categories of data arose. The 1998 Act was itself amended several times through secondary legislation, and it is important that we retain the flexibility to respond to emerging technologies and the different ways in which data might be used in the future.
It is interesting to note that the hon. Member for Sheffield, Heeley has tabled an amendment to schedule 1 that would add a completely new processing condition in relation to maintaining the missing persons register. My hon. Friend the Under-Secretary of State for the Home Department will touch on the merits of that proposal later, but the fact that others in the Committee are considering further changes to schedule 1 illustrates the point that schedule 1 cannot simply freeze the regimes in parts 3 and 4 of the Bill. I urge colleagues to resist the amendment.
Margot James
It does happen. That is not a new provision, but one that was imported from the current law. Unfortunately, some crucial words were accidentally lost in the process of importing it. The amendment reinstates them.
Schedule 1 sets out UK domestic legislation to allow the processing of particularly sensitive data in certain circumstances. The Government’s view is that the processing of such data must be undertaken with adequate and appropriate safeguards to ensure that individuals’ most sensitive data is appropriately protected. One of those safeguards is the new requirement for an appropriate policy document to be maintained in most circumstances when special categories of data and criminal convictions data are processed. That is set out in paragraph 5 and part 4 of the schedule.
Since the Bill’s introduction, we have reflected on whether there are cases where the requirement to hold an appropriate policy document is so disproportionate that, rather than improving protections, it effectively prevents the necessary processing from taking place. Amendments 79, 82 and 90 remove the requirement for a controller to have an appropriate policy document where processing involves the disclosure of special category data to a competent authority for the detection or prevention of an unlawful act, the disclosure of special category data for specific purposes in connection with journalism, or the disclosure of special category data to an anti-doping authority. Amendment 80 defines what is meant by “competent authority”. The aim of those amendments is to avoid a scenario in which an individual who never normally processes data under schedule 1 wishes to report a crime, report something of public interest to the media or report doping activities in sport and, in so doing, processes special categories of data and would have to have in place an appropriate policy document.
Amendment 76 reflects that change to the requirement to have an appropriate policy document by inserting the words, “Except as otherwise provided” in paragraph 5 of the schedule. Amendments 87 and 89 make it clear that, in the context of schedule 1, “withholding consent” means doing something purposeful, not just neglecting to reply to a letter from the data controller. That avoids a world in which data controllers have an incentive not to bother requesting consent in the first place.
Paragraph 31 of the schedule requires the controller to have an appropriate policy document in place when relying on a processing condition in part 2 of the schedule to process criminal convictions data. However, all the provisions in part 2 are subject to the policy document requirement except where noted, so there is no reason to state it again in paragraph 31. Amendment 91 removes that duplicate requirement. It is simply a tidying-up amendment to improve the coherence of the Bill.
Draft Electronic Commerce Directive (Miscellaneous Provisions) Regulations 2018
Liam Byrne Excerpts(6 years, 2 months ago)
General CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Liam Byrne (Birmingham, Hodge Hill) (Lab)
This is the first time I have had the privilege of serving under your chairmanship, Mr Austin, and it is of note that we have not only a Chairman from the west midlands but two Front Benchers as well.
I am grateful to the Minister for her speech. It was almost as long as her speech last night in winding up five hours of debate on the Data Protection Bill. I am sorry that we none the less managed to stretch business to 10 o’clock.
The regulations are important, but the e-commerce directive is hopelessly outmoded and outdated. It regulates internet service providers, but was written before most of them came to enjoy the force and stature they do today. None the less, it is what we have, and if we can use regulations attached to it to make progress, in particular in the defence of children and their safety online, we must seize those opportunities with both hands. We will not, therefore, divide the Committee today. However, I ask the Minister to reflect, in her winding-up remarks, on why it has taken so long for those necessary defences to be brought to the House, and invite her to look to the future and tell us how long we will have to wait for proposals for the e-commerce directive to be modernised. Now that we are leaving the European Union, there are all sorts of opportunities to modernise laws in a way that maintains a degree of regulatory harmony, and therefore trade, with our biggest continental market and that also brings regulation of this important industry up to date.
Data Protection Bill [Lords]
Liam Byrne ExcerptsMonday 5th March 2018
(6 years, 2 months ago)
Commons ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 77-I Marshalled list for Third Reading (PDF, 71KB) - (16 Jan 2018)
Peter Heaton-Jones
The hon. Lady is right that the Press Complaints Commission did fail, which is why it is rightly no longer there and we now have a new framework. While we are talking in general about regulation, I should say that I have some sympathy with the question marks raised over the regulation of my former employer, the BBC. We got that wrong for many years. There was the bizarre situation in which the BBC board—later, the BBC Trust—was acting as both poacher and gamekeeper, marking its own homework. The Government have rightly sought to put that right and we have moved a long way towards doing so.
I do not believe that the answer to the wrongs that still exist in the regulatory regime for newspapers lies in the amendments that have come our way from the other end of the Palace of Westminster. I do not believe that they would do the job that, as my hon. Friend the Member for North Herefordshire rightly said, the people outside this place want us to do: to make sure that they have a fair right of reply when something wrong is done to them by newspapers.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
I am grateful to the hon. Gentleman, who is being characteristically courteous in giving way to so many Members. Can he point to another area of public policy in which as many suspicions have been aroused, but that has been improved by our collectively deciding to just move on and leave things in the dark?
Peter Heaton-Jones
No one is suggesting just moving on and leaving things in the dark. That is not at all what the Government intend to do. If we look carefully at the words the Secretary of State used on Thursday, we see that there is no question of our moving on and saying, “There’s nothing to see here.” We are saying that the mechanism suggested in the amendments from the other place is not the right way to proceed. I agree with the position taken by the Secretary of State.
Liam Byrne
With the greatest of respect, regulations are forward looking, but the inquiry that we are seeking goes into past malpractice for the simple reason that we would like justice to be done.
Peter Heaton-Jones
I do not believe that the inquiry that the other place seeks, through its amendment, to impose on the Bill would do the job that the right hon. Gentleman wants done. The position that the Secretary of State laid out on Thursday is the right way to proceed. Leveson 2 would simply not do the job that many Members on both sides of the House want it to do.
I am going to move on, as I am thinking about Mr Deputy Speaker’s strictures about timing.
Mike Wood
I understand exactly the hon. Gentleman’s point, with which I have a little sympathy. However, when the media are behaving unfairly and something is inaccurate, distorted or misleading, it is of course right that there are proper procedures for redress. I have absolutely no problem with greater access to justice, but, on the measure’s own terms, it would fail in this regard.
Clearly, the hope is that the proposal would somehow pressure the media into signing up to a state-approved regulator, but for those who remain outside such a system, changing the basis for awarding costs would not improve access to justice. It would not prevent our libel and defamation laws from being the preserve of the already rich and powerful. All it would do is deter proper, quality investigative journalism. It would deter community and local reporting, where, shall we say, conflict within communities is not unheard of. If, when a claim is brought, there is an assumption—not quite but almost without regard to the merits of the case or who the claimant is—that the defendant will have the costs awarded against them, that is an enormous disincentive to continue with a story, even when doing so is clearly in the public interest. It must be the case, when there is criminal behaviour and when something is actionable—
Mike Wood
I am just concluding. When something is criminal, the full weight of the law should fall on those who break it. When something is actionable, we need streamlined procedures that actually work—an array of alternatives, not just the one-trick pony in this proposal. However, when publishers are confident that their story is accurate, fair and proportionate, the only proper response is to publish and be damned.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
This has been quite a useful debate for rehearsing the arguments and divisions that I suspect we will have when the Bill moves upstairs to Committee. Some of our debate, particularly in the speeches made by Opposition Members, has even been about data protection.
It is probably fair that I start with the note of unity that the shadow Secretary of State, my hon. Friend the Member for West Bromwich East (Tom Watson), set out at the beginning of his remarks. I think there is a great deal of optimism on both sides of the House about the possibilities of technology in the years to come. The philosophical difference is that we genuinely believe that the new world of trade for the years to come will be built on a world of trust. If we are to have a really robust foundation of trust in the digital economy that will take shape over the course of this century, we will need a strong regime of rights. We need rights that are comprehensive and genuinely enforceable in courts, where necessary, and those rights need to live in a democracy that has safeguards, including safeguards around the way in which elections are fought in the digital age—those elections need to be free and fair—with a press that is clean.
The problem with the Bill, as we see it, is that it is an opportunity missed. The Secretary of State argued that it was forensic; we would argue that it is a little bit more piecemeal. It is not haphazard; it is seeking to do a job by incorporating a substantive bit of legislation from Brussels into British law. However, we are troubled that the privacy provisions are not quite robust enough, and that argument was well made by a number of my right hon. and hon. Friends. In particular, the decision not to include the text of article 8 of the EU charter of fundamental rights to safeguard privacy and ensure that adequacy agreements will be there in years to come was an error. The approach is just too risky, as my right hon. Friend the Member for East Ham (Stephen Timms) warned.
These risks of divergence are serious because so much of our exports, in particular to Europe, are services exports. Some 70% to 80% of those services exports may be digitally enabled, so we simply cannot afford any risk whatsoever. We need to put all risk to any future adequacy agreement beyond doubt.
My hon. Friend the Member for Bristol North West (Darren Jones), our man for definitions and a great deal more, made a very effective point about this not being a one-off exercise. This process will endure, so we are trying to make sure that British and European courts interpret privacy law in a way that is continually consistent over the years to come.
We all need to recognise the juggling act that the Prime Minister is trying to perform. We all need to acknowledge with some honesty the creative ambiguity that she sometimes needs to sustain to keep everybody on the train. I think we all recognise the precariousness of her position. We know that her personal position as captain of the ship is not trouble-free, so I think that those on the Treasury Bench will forgive us for not relying on the full weight of a No. 10 press release, as terribly robust as that is, as ensuring that adequacy provisions will be secured through the commitments that she has made to protect privacy. We would much rather rely on the full weight of the law, because that feels like a much more reassuring position.
In the modern economy, there are rights that we need to take into account. Those rights are new and increasingly necessary in the modern age, such as the right not to suffer as a result of decisions made not by humans but by algorithms. My hon. Friend the Member for Cambridge (Daniel Zeichner) made the powerful point that the great risk of algorithms that take decisions is that they may hard-code old injustice into new injustice. That idea should trouble us all. The Bill does not include adequate safeguards against that at the moment, so we will need to address that.
We heard the troubling line of argument in the debate that we should carve out newcomers to this country from the rights and safeguards that are enjoyed by everybody else under the Bill. I have to say to the Minister that the measures on immigration are a mistake. We will seek to delete them, and I hope she accepts that initiative. I was the Immigration Minister who introduced the biggest shake-up to our immigration system for 40 years. I created the UK Border Agency, and I introduced the points system. In my two or two and a half years in the Home Office, I came to learn that our immigration system is not some celestial design—it is a human institution. The Home Office and the immigration system take decisions that are bad or wrong and that need to be corrected. If we delete the protections under the Bill for newcomers, we will put justice in jeopardy. We will genuinely risk denying justice to those newcomers who need information to fight their cases effectively.
I lost cases that were brought because people were able to draw on information through subject access requests, and justice was eventually done in those cases. However, mistakes are made, and I do not think the Minister wants a system that is so prone to error. We have to build in checks and balances to the immigration justice system, and she has perfectly adequate safeguards on crime prevention in the Bill. As a former Home Office Minister, I can recognise what is basically a gratuitous land grab by the Home Office. These powers are not needed, and I hope the Minister will ask her Home Office colleagues to look at the provisions again.
For rights to be real, there needs to be a method of enforcing them effectively, which is why the provisions for collective redress are so important. The shadow Secretary of State talked about the work that we have done with people such as Baroness Kidron in the other place on safeguarding rights for children. A third of internet users are children, and we need to ensure that their rights, along with those of everybody else, are actually enforceable. The idea that a child whose rights are violated will take Facebook to court is, frankly, fanciful. We need to allow consumer organisations and others to take what are in effect class actions, because otherwise the implementation of rights risks being weak, undermining not simply justice, but the strength of our regulatory regime.
We will want to propose other, more comprehensive rights. We are not under any illusions about the Government accepting our data Bill of rights in full, but we want to make sure that such rights are on the table because we are at the start of a process. Just as there were something like 17 Factory Acts during the 19th century, there will be many data protection and e-commerce modernisation Acts over the next 80 years. I am afraid that Members will, for better or worse, have to get used to that process. We think that putting in place a strong framework for rights and enforcement now is just a wise precaution for the future.
As we have heard in many contributions, there will be quite a lot of toing and froing about some of the amendments made in the other place. I hope that many in the House will not take the approach of the hon. Member for North Devon (Peter Heaton-Jones). I feared at times that he was anticipating that we could somehow secure justice regarding suspected historical offences by closing the door, switching off the lights and pretending that nothing had ever happened. I do not think that there are many fields of public policy in which that has proved to be a successful foundation for reform. It is important that we delve into offences that took place in the past.
My hon. Friend the Member for Hammersmith (Andy Slaughter) made some important points. Politicians on both sides of the House made promises to the victims of phone hacking, and it is an extremely dangerous precedent for a Secretary of State to say, “Yes, I know we made promises about an inquiry but, you know what, we don’t think that inquiry, even though it isn’t finished, really should wind its course to a conclusion.” It is not a satisfactory state of affairs when the Executive can intervene and, in effect, seek to stop inquiries in their tracks, in the teeth of opposition—in this case, from the noble Lord Leveson—setting out why they should actually continue.
I hope that many Members will, like the hon. Member for North Herefordshire (Bill Wiggin), argue for the importance of honouring promises made in the past, and indeed of making sure that we have a press regulation regime that balances the interests of a free and fair press with the need not to defame people wilfully. The Government are making an odd argument by asking us to take them seriously when they want to install a new data protection regime, while at the same time short-circuiting an inquiry into the most egregious violations of data privacy that we have ever seen in the public sphere. I am afraid that that approach does not inspire a terrific amount of confidence, so I hope that the Minister and the Secretary of State will listen again to the pleas of Lord Leveson and reconsider their support for the amendments that were carried with such force in the other place. The Government may make their own proposals, but I suspect that there will continue to be a strong body of support in the other place for those amendments.
Stephen Timms
May I take it from what my right hon. Friend says that the official Opposition’s position is that we will support the retention of the amendments agreed in the other place?
Liam Byrne
My right hon. Friend is absolutely right. We will support the retention of those amendments, and we will seek to offer a much more wide-ranging, comprehensive approach, which we think the Government should take. We will offer a much more comprehensive, well-rounded and thought-through system of rights for the digital age. We will offer an effective means of safeguarding those rights through the introduction of new forms of collective redress. We will offer new safeguards that help to protect our democracy and that ensure free and fair elections and press justice.
We will also seek to prompt the Government to confirm precisely when they will modernise the e-commerce directive, because many of the threats to freedom in the digital age will come from the fearsome five data giants of this age, which will need regulating in new ways. I think there is some cross-party consensus about the need for the e-commerce directive to be modernised, so we will table amendments that will encourage the Government to get their skates on. Crucially, however, we will table amendments that put beyond doubt the future of any adequacy agreement with the European Union.
As the economy changes, so must the law. There will be many more data and privacy laws to come in the years ahead. We will encourage the Government to put in statute a framework that is not merely fit for today, but fit for the future.
The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)
I thank all Members for their contributions to this excellent and wide-ranging debate and their lordships for the immense amount of work that they have done on the Bill thus far. Members on both sides of the House want a Bill that protects personal data and allows individuals to maintain control over what is their property and what is important to them, and we want these rights to be enforceable. That is a positive start on which we can all agree.
Various Members, including the hon. Member for Bristol North West (Darren Jones), the right hon. Member for East Ham (Stephen Timms) and the shadow Minister, stressed the importance of the continuity of adequacy post Brexit. The hon. Member for Bristol North West asked what the Prime Minister meant by saying that she wanted to achieve more than adequacy. It was, I am sure, to ensure that the Information Commissioner can continue her excellent contribution to the evolution of the GDPR through her association with the European data protection board, when that comes into being.
The hon. Member for Argyll and Bute (Brendan O’Hara), the hon. and learned Member for Edinburgh South West (Joanna Cherry), the right hon. Member for Kingston and Surbiton (Sir Edward Davey) and many others mentioned immigration. I want to reassure the House that we are seeking not a blanket exemption, but something that can be applied only when complying with a certain right would be likely to prejudice the maintenance of effective immigration control. Every request to exercise a right under the GDPR would still have to be considered on its individual merits, and the rights of appeal required by the GDPR remain in place.
There was a great deal of debate about the freedom of the press. In the short time that I have, I cannot do justice to the fantastic contributions from my hon. Friends the Members for North Devon (Peter Heaton-Jones) and for South Dorset (Richard Drax) and the hon. Members for Edinburgh West (Christine Jardine) and for Keighley (John Grogan). We heard the real show stopper from my hon. Friend the Member for North East Somerset (Mr Rees-Mogg), who was listened to with rapt attention as he contrasted the pretence of freedom of speech with the reality of control, which would be the result of the amendments to which we have been asked to agree. The Government have been clear that we will attempt to defeat them in this place.
We have had a very valuable debate. We have touched on various issues—children and social media, artificial intelligence and cyber-resilience—and there are others that we will address subsequently.
Margot James
I will have plenty of time in Committee to debate with the right hon. Gentleman. I am sure that we all agree that the Bill is important and timely.
Oral Answers to Questions
Liam Byrne Excerpts(6 years, 3 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Matt Hancock
As my hon. Friend says, there is a lot going on in this space. Last Friday, I visited the parent zone at Coupals Primary Academy in my constituency and saw a brilliant presentation teaching 8 to 11-year-olds how to be safe online. There is a lot more to do in this area, so that young people grow up resilient and able to use the opportunities that the internet presents safely. I pay tribute to Internet Matters for its work.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
In the internet safety strategy, the Secretary of State proposed that there would be specific measures to protect children, yet when the Data Protection Bill came to the other place there was a hopeless deficit of any specific measures to protect children. It fell to Baroness Kidron, supported by us, to remedy the gap. When the Bill comes to the Commons, will the Secretary of State agree to work constructively with us to ensure that proper digital rights for children, who make up a third of users, are included in the Bill, like the very good five rights framework proposed by the Baroness and supported by us?
Matt Hancock
That is an interesting proposal. We supported the Baroness Kidron amendment. I welcome it and I think that we have made some progress. Of course, this issue is broader than just data protection, so we have to ensure that we get the legislation right. That Bill can only cover data protection, which is not the whole issue. Also, it would be a backwards step if the Bill gave the impression that the generality of measures did not apply to children because we have specifics that do. I am happy to talk further to the right hon. Gentleman and to work on this because it is clearly an area on which we need to make progress.
Proposal for Designation of Age-verification Regulator
Liam Byrne Excerpts(6 years, 3 months ago)
General CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Liam Byrne (Birmingham, Hodge Hill) (Lab)
It is a privilege to serve under your chairmanship, Mr Sharma— I think it is the first time I have had that honour. I congratulate the Minister on her new role. This is the first time we have faced each other in such a debate, and I am very much looking forward to spending an awful lot more time with her in Committee Rooms as the Data Protection Bill weaves its way through the House of Commons.
At this stage, I would normally preface my remarks with a lacerating attack on how the Government are acquiescing in our place in the world as a cyber also-ran, and I would attack them for their rather desultory position and attitude to delivering a world-class digital trust regime. However, I am very fortunate that this morning the Secretary of State has made the arguments for me. This morning, before the Minister arrived, the Secretary of State launched his new app, “Matt Hancock MP”. It does not require email verification, so people are already posting hardcore pornography on it. When the Minister winds up, she might just tell us whether the age-verification regulator that she has proposed, and that we will approve this morning, will oversee the app of the Secretary of State as well.
I noticed that the main contributors to the app are journalists, although it looks as though Ed Balls has also been on, because someone has posted “Ed Balls”. Those are the only words that have been posted, but it is the second-most favourited comment on the app this morning. For reasons that are not quite clear, when someone signs up to the “Matt Hancock MP” app, the app asks whether it can access that person’s photos. It is not quite clear whether that is an unintended breach of users’ privacy, but perhaps the Minister can tell us her attitude to that when she winds up as well. If people are posting pornography on it, as I am told they are, perhaps she could raise that with the Secretary of State when she returns. In her wind-up remarks, we expect her to tell us whether her regulator will include in its purview the app launched by the Secretary of State for Digital, Culture, Media and Sport this morning.
The second substantive point I wanted to make is a plea to the Minister. This morning she has contributed to the complete mish-mash and muddle that is digital regulation in this country. We already have Ofcom responsible for content regulation, unless it is on a platform such as Facebook or Twitter. We have the Information Commissioner, which is responsible for data protection. We have the Advertising Standards Authority, which is responsible for regulating adverts, but not political adverts. If the Republic of Russia paid for attack ads attacking Brexit mutineers, such as some of the hon. and right hon. Members sat on the Conservative Benches, that is not covered by the ASA. Now we have a fourth regulator to add to the mix: the BBFC. The challenge the Minister has is that so much is now falling through the cracks that she is in no way able to rehearse an argument that we have a digital regulation regime that is fit for the 21st century.
Let me give the Minister advance notice of some of the arguments we need to have during the consideration of the Data Protection Bill. This is a mess, and the Government have to bring forward substantive proposals to clear it up. The challenge she has got this morning is that she is proposing as an age-verification regulator an organisation that is hopelessly underfunded with no sense of what its scope should be. According to the BBFC’s annual report for 2016, it has £5.4 million in turnover. It has a grand total of 52 employees, and that is not up but down on the number for 2015. It receives no subsidy or budget from the Government. The Minister needs to tell us how much money she will ask for in Commons votes to fund the BBFC to fulfil this important new regulatory role.
Secondly, the question of mission creep is an important one for the Minister to answer. The BBFC said this month at the Free Speech Coalition leadership conference that it sees the powers under the Digital Economy Act as meaning that even social media sites such as Reddit, Twitter and Tumblr would have to eliminate adult content or block all under-18s from using them. If the BBFC’s attitude to Reddit, Twitter and Tumblr is that they need to block content for all under-18s, then “Matt Hancock MP” the app should be included in the purview of the regulator. I know the Minister will set our minds at rest. The question for her is how on earth this regulator with 52 people will ensure that Reddit, Tumblr and Twitter are taking down all adult content or blocking under-18s. We need to hear a concrete plan and some substantive reassurance from her this morning.
We are told that the enforcement of age verification will be undertaken not on a proactive basis, but by people reporting in complaints, yet the whole regime for collective redress has been shot through by the Government in the other place. Parents on their own cannot even get together with consumer organisations such as Which? to bring substantive redress under the terms of the Digital Economy Act.
The BBFC has given some reassurances that it will be able to distinguish between pornography and sex education, but it has not told us how. It claims to have a system for mobile devices that blocks websites with inappropriate content, but in evidence to the Public Bill Committee, the Open Rights Group said that the system is inaccurate, people have to actively choose the websites that are blocked, the websites are not automatically blocked, the websites are often blocked incorrectly and harmful websites are slipping through. We need to have substantial reassurances that the Minister is absolutely confident that the BBFC has the powers, resources, methodology, people and a strategy for fulfilling the terms of the statutory instrument. I would like some reassurance on those points, but crucially we all want to hear whether “Matt Hancock MP” the app will be included under the terms of the regulator.
Margot James
I thank my right hon. Friend for confirming what I suspected. My right hon. Friend the Secretary of State is extremely able in the digital world, and I am sure that what he has put out is of very high quality.
I wish to respond to some of the criticisms and questions from the debate. First and foremost, over the choice of the BBFC—
Liam Byrne
Tom Bateman, a political editor with BBC politics, tells us he denied the app access to his photos and yet it uploaded pictures anyway, so it is not clear to me how the Secretary of State has been able to produce this app in a way that is violating the country’s privacy laws.
Russian Interference in UK Politics
Liam Byrne Excerpts(6 years, 4 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Tom Brake
As the hon. Gentleman probably expects, I will discuss Facebook shortly, including some negative and positive things about its activities.
I should say that I am not attacking the Russians here; I am attacking the Russian Government. Of course, some things that the Russian Government or people associated with them might have been involved with may, indeed, be also activities that other state actors are conducting, so this is not just about Russia, although that is clearly the subject of the debate.
The United States has a gaping vulnerability to disinformation operations carried out by Russia and other malicious actors across the social media environment. In the USA, just one account from the troll factory in St Petersburg managed to amass more than 120,000 followers, interacted with the Trump campaign leaders, and was quoted in newspapers such as the Washington Post as a voice of the American right. Is the Minister happy that the UK has adequate defences against such interference here?
The simple truth is that although Arron Banks and Nigel Farage may be Putin fans, President Putin is certainly not a friend of this country. Russia would only have interfered in the EU referendum or any other elections here in order to damage the security of the UK and, indeed, the EU.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
The right hon. Gentleman is making a brilliant point, but has he noticed that the American national security strategy—published this week—explicitly recognises this threat, whereas our national security strategy does not?
Tom Brake
I agree entirely with my hon. Friend. I do not know whether she has, but I have engaged in exchanges with David Jones—clearly, I will not continue to do so—because whoever he or she is was a very prolific tweeter during that campaign. So, yes, we need to be aware of those issues.
According to Facebook, neither the Foreign and Commonwealth Office, nor No. 10, nor the intelligence services have given it any advice about what it should be looking for. If that is correct, it concerns me, and I hope the Minister will respond to that point.
Liam Byrne
I think the Americans looked at 47 accounts, which were all provided to the Mueller inquiry by intelligence agencies, but—the right hon. Gentleman is absolutely right—our agencies have offered, I think, only one. The other risk we have to be careful of, though, is that money was transferred onshore—the Electoral Commission is now investigating that—so some of the illicit money may have come from UK onshore accounts.
Tom Brake
I thank the right hon. Gentleman for that intervention. That is another aspect of this issue that I am not going to be able to dwell on at great length in the few minutes that remain.
Facebook is doing work on ad transparency, and I welcome that. Personally, I would be comfortable with having the equivalent of a “printed and published” on the political ads that I place on Facebook. Such measures would help people to understand who was actually promoting themselves. I wonder whether the Minister would support that suggestion.
There is also the issue of authentication. I and, I suspect, every Member here have a blue tick on Twitter, so we have been confirmed as being real people. Maybe Facebook should do something similar to authenticate people with Facebook accounts so that we know that everyone is a genuine person, rather than someone sitting in an office block on the outskirts of Moscow preparing fake accounts. I hope the Minister will agree with that point as well.
We need to resource our response appropriately, and I have concerns—I certainly had concerns when I was a Minister and had dealings with it—that the Electoral Commission does not, in fact, have the resources to deal with this issue. Dealing with activity abroad is clearly not within its remit, and it would not have any expertise to do that, so we need to hear how it can access that expertise. The Minister is nodding, so hopefully he will be able to clarify that issue. I hope he is confident that the Electoral Commission has the necessary resources and expertise, or can at least access them.
Damian Collins
My hon. Friend is exactly right. It must be able to understand how to target users with information based on what it thinks they are interested in and where that information is coming from. It could conduct its own preliminary research to look for the characteristics of fake accounts and disinformation accounts linked to Russian agencies that are based on its platform. At the moment, it is refusing to do that.
Liam Byrne
Facebook’s last quarterly profits were nearly $4 billion. Does the hon. Gentleman agree that it could afford to conduct the research if the will were there to do so?
Damian Collins
I absolutely agree. I noticed on a recent investor call that Mark Zuckerberg warned Facebook investors that dealing with these issues would have a direct impact on the bottom line. I am glad that he said that, but I would like to see him using that money. I do not see any evidence of the company putting resource into trying to tackle this issue.
At the moment, Facebook’s position in the UK is that it was only responding to questions put to it by the Electoral Commission. That has a much narrower focus because of the Electoral Commission’s exact remit. Facebook is not answering questions put to it by the Select Committee asking for more evidence of Russian-linked activity across the site, including in pages, group accounts and profiles, not just restricted to paid-for advertising. We have a right to receive information from Facebook, and it could conduct such research. It proactively conducted its own research looking at the activity of fake accounts during the French presidential election. That led to the deletion of more than 30,000 accounts, pages and profiles. Facebook did that itself. If it can do it in France, it can do it in the UK too, but currently it will not.
If Facebook’s position is that it will respond only to official intelligence directing it towards fake activity, then we need to be working to do that too. Our intelligence services need to be on the lookout, if that is the only trigger open to us to get Facebook to act.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
I congratulate the right hon. Member for Carshalton and Wallington (Tom Brake) on securing this important debate.
The argument I want to make is that, unlike our agencies, the Government have been tragically late in waking up to the new world-view that President Putin set out with such clarity and force after his re-election as President in 2012. I also want to set out the opportunity, the means and the motive which have driven Russia to intervene in our democracy, and then to propose to the Minister a number of areas where I think we can work together on reform over the year to come.
Let me start with the motive, however. We have heard a lot, in particular from my hon. Friend the Member for Ilford South (Mike Gapes), about the history of this, and that motive is important to underline. After Putin returned to the presidency in 2012, he offered a very different view about the possibilities of co-operation with the west from those he harboured during his first term. That world-view was not a secret. He set it out with great clarity in his 2013 state of the nation address, where he gave us the theory to match the fury he offered the world in his Munich security conference speech of 2007. He attacked what he called the “post-Christian” west of “genderless and infertile liberalism”, he attacked the Europeans who he said embraced an “equality of good and evil”, and he attacked what he said was a west trapped in moral relativism, lost in a vague sense of identity. Europeans, argued President Putin, had begun
“renouncing their roots, including Christian values, which underlie Western civilization.”
The Kremlin-backed Centre for Strategic Communications had a headline for this story. It described the pitch as “Putin: world conservatism’s new leader”. But of course, this world view has nothing to do with traditional conservatism. It has a great deal to do with the new trends of the alt-right. It has nothing to do with the party of Disraeli.
If Mr Putin were content to confine his philosophy to the limits of his own borders, we would not be having this debate. However, the reality is that he has set out systematically to wreck the vision, the legacy and the record of President Gorbachev, who set out, between 1987 and 1989, a very different view of the way in which Russia and Europe could work together to create what he called “an all-European home”, subject to a common legal space and governed by the European convention on human rights. That is not a view that President Putin shares. There is no all-European home for President Putin. Instead, we see a systematic effort to divide, rule, confound and confuse.
That brings us to the means of Russia’s new strategy. The right hon. Member for New Forest East (Dr Lewis) did us a favour by sketching out the history of active measures. They have a long history in Russian warfare techniques. Major Kalugin, who was the KGB’s highest-ranking defector to the west, described the approach as
“the heart and soul of Soviet intelligence”.
Since 2012, under General Gerasimov, this doctrine has now been renewed. Some call it a doctrine, and some call it a philosophy, but the idea is that
“the very rules of war have changed”,
and that the role of non-military means of intervention behind an opponent’s lines is now very different.
As Anne Applebaum and Peter Pomerantsev of the London School of Economics have set out, these new tactics are characterised by opportunism and involve an unregulated network of propagandists whose material is distributed online. They point out that Russia is now operating in a post-truth environment, and there is no attempt to win people over to a Russian view of the world. There is simply an attempt to confuse and confound.
The way in which this goes to market in the west, however, is through an unholy alliance with extreme leftist groups and extreme right groups. Its aim is to polarise and divide, and to tear down the words on the coat of arms here in the Chamber, which state that we have “more in common” than sets us apart. If we look at the 45 new parties that have been created in Europe over the past 10 to 20 years, we see a clear majority that have some sympathy with Russia. They include Germany’s AFD, Austria’s FPO, the Golden Dawn in Greece, Jobbik in Hungary, the Front National in France, the Northern League in Italy and, indeed, the United Kingdom Independence party.
All those parties have taken a pro-Russia position on matters of huge international interest. The Front National, for example, was given significant loans by Kremlin-backed banks. If we look at the AFD’s relationship with Russia, we see how broadcasters such as Sputnik and Russia-linked accounts systematically intervened to attack Chancellor Merkel and to support the AFD. If we look at the relationship with UKIP, we can see very close links. Nigel Farage famously said that President Putin was the leader that he most admired, back in 2014. In the European Parliament, UKIP has taken consistent positions in favour of the Russian annexation of Crimea. The Atlantic Council has analysed a number of policy positions and concluded that UKIP MEPs
“made similar statements blaming the EU for the Ukraine crisis and asserting Russia’s right to intervene in the ‘near abroad’.”
Looking at all this in the round, the US intelligence community concluded that Russia was intervening systematically abroad in the west, and it would be naive of us to think that Russia was not trying to intervene here in this country.
Liam Byrne
I will not give way, because of the lack of time.
That takes us to the heart of the reform agenda that we need to look at. It has now become clear that there is a dark social playbook that is being used to great effect. We have hackers such as Cozy Bear hacking emails, and they work in partnership with useful idiots such as Wikileaks. Alongside them, we have what are politely called alternative news sites. These include Sputnik, Russia Today and, frankly, Leave.EU, Westmonster and Breitbart. They work hard to circulate news that will create a row on Twitter, then the troll farms kick in. The material is then sucked into private Facebook groups, at which point dark money is switched behind those ads to circulate them widely.
The study that I have commissioned for today’s debate from the data science firm Signify will be of interest to Conservative Members. It looked at the terrible front page in The Daily Telegraph attacking Conservative Members for being “Brexit mutineers”. Leave.EU and Westmonster probably picked up that story. Westmonster published the original content. Leave.EU then amplified the story on Twitter and Facebook channels, calling Conservative Members “a cancer” and “Tory Traitors”. Standard social listening tools show that the Twitter account attracted about 1,300 interactions. On the original post, there were only 44 interactions, yet the post on Facebook secured more than 23,000 interactions. The difference is explained by the fact that money, run in this case by Voter Consultancy Ltd, was being switched behind the story in order to attack, influence and attempt to suborn Conservative Members in the debates that we have had over the past week or two. Interestingly, Voter Consultancy Ltd is a dormant company, so we do not know quite where the money was coming from. It has, however, just set up an interesting subsidiary called Disruptive Communications, together with a man called John Douglas Wilson Carswell, formerly of this parish.
My point is that we now have a well-established playbook involving a method of creating rows on Twitter and sucking their content into Facebook using dark money. The ads are not going to everybody. Firms such as Cambridge Analytica or Aggregate IQ are very effectively targeting the ads at a particular demographic.
Liam Byrne
I will not give way.
There is now a motive, a means and a method for Russia to intervene in democracy that we must be aware of. The challenge that we face is that our legislation is completely out of date. The chairman of the Electoral Commission, Sir John Holmes, has openly warned that a perfect storm is putting
“our democratic processes in peril”
and called for urgent steps to deliver transparency in political advertising. We have regulation for social media firms under the European e-commerce directive of 2000, but that was written before social media firms grew to their present size and scale. Because they are treated as platforms, rather than publishers, Ofcom will not regulate them as broadcasters.
The Electoral Commission has confirmed to me that it cannot use civil sanctioning power on non-UK based individuals, or on conduct that takes place outside the UK. That is significant because—as my right hon. Friend the Member for Wolverhampton South East (Mr McFadden), who is not in his place, said—there is a risk that money came in from abroad to support campaigns. The Advertising Standards Authority has expressed to me its grave disquiet that it can ban broadcast political advertising but it cannot ban political advertising in targeted social media platforms.
There are five key steps that we need to take. First, it is ludicrous that the national security strategy does not include a specific objective to defend the integrity of our democracy. Secondly, we need to review the e-commerce directive, as Lord Bew has recommended, and if the Government do not bring forward consultation on such a change, we on this side of the House will do so. Thirdly, it is time to look again at the Communications Act 2003. In particular, we want to know why the Electoral Commission is not using its power to investigate collusion between Aggregate IQ and Cambridge Analytica. Fourthly, the Electoral Commission obviously needs new powers. Fifthly, we need to pick up on what the hon. Member for Isle of Wight (Mr Seely) said about a different generation of responses, like the active measures working group. I shall finish with a line from Abraham Lincoln, who said that
“the price of freedom is constant vigilance.”
We cannot let a new cyber-curtain disguise what our opponents are up to. It is time that this Government opened their eyes and started acting.
Matt Hancock
I will come on to that important point in relation to the cyber-attacks.
As the Prime Minister made clear in her speech at the Guildhall in November, we want to build a more productive relationship with Russia, but we also want to see Russia play its full and proper role in the rules-based international order. We will therefore not hesitate in calling out behaviour that undermines that order or threatens our interests at home and overseas.
Liam Byrne
If there was no evidence of successful intervention, was there evidence of unsuccessful intervention? If so, what was it?
Matt Hancock
Some evidence has already been declared, such as Facebook’s declaration that there had been some paid-for advertising by organisations that were also involved in US democratic processes. However, as we know, the scale of the activity that has been declared by Facebook is extremely small, amounting to $0.97. I will get on to the point about the transparency of information, because we do not think that that amount credibly represents the whole gamut of activity.
We have identified Russia as responsible for a sustained campaign of cyber-espionage and disruption around the world. When we have seen the Kremlin deploy disinformation in an attempt to sow division and meddle in overseas elections, and to deflect attention away from international incidents, such as the downing of MH17 or the use of chemical weapons by the Syrian regime, we have rightly raised those concerns on the international stage. However challenging our relationship might sometimes be, it is also essential that we keep the channels of communication open to the Kremlin and the Russian people. To that end, my right hon. Friend the Secretary of State for Foreign and Commonwealth Affairs will be in Moscow tomorrow. While there, he will firmly and clearly raise our concerns over the use of disinformation and cyber, and he will reaffirm the Prime Minister’s message, given at the Guildhall, about wanting to see a more productive relationship, built on mutual trust.