The Minister for Data and Digital Infrastructure (Julia Lopez) I
beg to move, That the Bill be now read a Second time. Data is
already the fuel driving the digital age: it powers the everyday
apps that we use, public services are being improved by its better
use and businesses rely on it to trade, produce goods and deliver
services for their customers. But how we choose to use data going
forward will become even more important: it will determine whether
we can grow an...Request free trial
The Minister for Data and Digital Infrastructure ()
I beg to move, That the Bill be now read a Second time.
Data is already the fuel driving the digital age: it powers the
everyday apps that we use, public services are being improved by
its better use and businesses rely on it to trade, produce goods
and deliver services for their customers. But how we choose to
use data going forward will become even more important: it will
determine whether we can grow an innovative economy with
well-paid, high-skill jobs, it will shape our ability to compete
globally in developing the technologies of the future and it will
increasingly say something about the nature of our democratic
society. The great challenge for democracies, as I see it, will
be how to use data to empower rather than control citizens,
enhancing their privacy and sense of agency without letting
authoritarian states—which, in contrast, use data as a tool to
monitor and harvest information from citizens—dominate
technological advancement and get a competitive advantage over
our companies.
The UK cannot step aside from the debate by simply
rubber-stamping whatever iteration of the GDPR comes out of
Brussels. We have in our hands a critical opportunity to take a
new path and, in doing so, to lead the global conversation about
how we can best use data as a force for good—a conversation in
which using data more effectively and maintaining high data
protection standards are seen not as contradictory but as
mutually reinforcing objectives, because trust in this more
effective system will build the confidence to share information.
We start today not by kicking off a revolution, turning over the
apple cart and causing a compliance headache for UK firms, but by
beginning an evolution away from an inflexible one-size-fits-all
regime and towards one that is risk-based and focused on
innovation, flexibility and the needs of our citizens,
scientists, public services and companies.
Businesses need data to make better decisions and to reach the
right consumers. Researchers need data to discover new
treatments. Hospitals need it to deliver more personalised
patient care. Our police and security services need data to keep
our people safe. Right now, our rules are too vague, too complex
and too confusing always to understand. The GDPR is a good
standard, but it is not the gold standard. People are struggling
to utilise data to innovate, because they are tied up in
burdensome activities that are not fundamentally useful in
enhancing privacy.
A recently published report on compliance found that 81% of
European publishers were unknowingly in breach of the GDPR,
despite doing what they thought the law required of them. A
YouGov poll from this year found that one in five marketing
professionals in the UK report knowing absolutely nothing about
the GDPR, despite being bound by it. It is not just businesses:
the people whose privacy our laws are supposed to protect do not
understand it either. Instead, they click away the thicket of
cookie pop-ups just so they can see their screen.
The Bill will maintain the high standards of data protection that
British people rightly expect, but it will also help the people
who are most affected by data regulation, because we have
co-designed it with those people to ensure that our regulation
reflects the way in which real people live their lives and run
their businesses.
(Edinburgh West) (LD)
Does the Minister agree that the retention and enhancement of
public trust in data is a major issue, that sharing data is a
major issue for the public, and that the Government must do
more—perhaps she can tell us whether they intend to do more—to
educate the public about how and where our data is used, and what
powers individuals have to find out this information?
I thank the hon. Lady for her helpful intervention. She is right:
as I said earlier, trust in the system is fundamental to whether
citizens have the confidence to share their data and whether we
can therefore make use of that data. She made a good point about
educating people, and I hope that this debate will mark the start
of an important public conversation about how people use data.
One of the challenges we face is a complex framework which means
that people do not even know how to talk about data, and I think
that some of the simplifications we wish to introduce will help
us to understand one of the fundamental principles to which we
want our new regime to adhere.
Sir (New Forest East) (Con)
My hon. Friend gave a long list of people who found the rules we
had inherited from outside the UK challenging. She might add to
that list Members of Parliament themselves. I am sure I am not
alone in having been exasperated by being complained about to the
Information Commissioner, in this case by a constituent who had
written to me complaining about a local parish council. When I
shared his letter with the parish council so that it could show
how bogus his long-running complaint had been, he proceeded to
file a complaint with the Information Commissioner’s Office
because I had shared his phone number—which he had not marked as
private—with the parish council, with which he had been in
correspondence for several years. The Information Commissioner’s
Office took that seriously. This sort of nonsense shows how
over-restrictive regulations can be abused by people who are out
to stir up trouble unjustifiably.
Let me gently say that if my right hon. Friend’s constituent was
going to pick on one Member of Parliament with whom to raise this
point, the Member of Parliament who does not, I understand, use
emails would be one of the worst candidates. However, I entirely
understand Members’ frustration about the current rules. We are
looking into what we can do in relation to democratic engagement,
because, as my right hon. Friend says, this is one of the areas
in which there is not enough clarity about what can and cannot be
done.
We want to reduce burdens on businesses, and above all for the
small businesses that account for more than 99% of UK firms. I am
pleased that the Under-Secretary of State for Business and Trade,
my hon. Friend the Member for Thirsk and Malton (), is present to back up
those proposals. Businesses that do not have the time, the money
or the staff to spend precious hours doing unnecessary
form-filling are currently being forced to follow some of the
same rules as a billion-dollar technology company. We are
therefore cutting the amount of pointless paperwork, ensuring
that organisations only have to comply with rules on
record-keeping and risk assessment when their processing
activities are high-risk. We are getting rid of excessively
demanding requirements to appoint data protection officers,
giving small businesses much more flexibility when it comes to
how they manage data protection risks without procuring external
resources.
Those changes will not just make the process simpler, clearer and
easier for businesses, they will make it cheaper too. We are
expecting micro and small businesses to save nearly £90 million
in compliance costs every year: that is £90 million more for
higher investment, faster growth and better jobs. According to
figures published in 2021, data-driven trade already generates
85% of our services exports. Our new international transfers
regime clarifies how we can build data bridges to support the
close, free and safe exchange of data with other trusted
allies.
(Weston-super-Mare) (Con)
I am delighted to hear the Secretary of State talk about reducing
regulatory burdens without compromising the standards that we are
none the less delivering—that is the central distinction, and
greatly to be welcomed for its benefits for the
entrepreneurialism and fleetness of foot of British industry.
Does she agree, however, that while the part of the Bill that
deals with open data, or smart data, goes further than that and
creates fresh opportunities for, in particular, the small
challenger businesses of the kind she has described to take on
the big incumbents that own the data lakes in many sectors, those
possibilities will be greatly reduced if we take our time and
move too slowly? Could it not potentially take 18 months to two
years for us to start opening up those other sectors of our
economy?
I am delighted, in turn, to hear my hon. Friend call me the
Secretary of State—I am grateful for the promotion, even if it is
not a reality. I know how passionate he feels about open data,
which is a subject we have discussed before. As I said earlier, I
am pleased that the Under-Secretary of State for Business and
Trade is present, because this morning he announced that a new
council will be driving forward this work. As my hon. Friend
knows, this is not necessarily about legislation being in place—I
think the Bill gives him what he wants—but about that sense of
momentum, and about onboarding new sectors into this regime and
not being slow in doing so. As he says, a great deal of economic
benefit can be gained from this, and we do not want it to be
delayed any further.
(North West Hampshire) (Con)
Let me first draw attention to my entry in the Register of
Members’ Financial Interests. Let me also apologise for missing
the Minister’s opening remarks—I was taken by surprise by the
shortness of the preceding statement and had to rush to the
Chamber.
May I take the Minister back to the subject of compliance costs?
I understand that the projected simplification will result in a
reduction in those costs, but does she acknowledge that a new
regime, or changes to the current regime, will kick off an
enormous retraining exercise for businesses, many of which have
already been through that process recently and reached a settled
state of understanding of how they should be managing data? Even
a modest amount of tinkering instils a sense among British
businesses, particularly small businesses, that they must put
everyone back through the system, at enormous cost. Unless the
Minister is very careful and very clear about the changes being
made, she will create a whole new industry for the next two or
three years, as every data controller in a small business—often
doing this part time alongside their main job—has to be
retrained.
We have been very cognisant of that risk in developing our
proposals. As I said in my opening remarks, we do not wish to
upset the apple cart and create a compliance headache for
businesses, which would be entirely contrary to the aims of the
Bill. A small business that is currently compliant with the GDPR
will continue to be compliant under the new regime. However, we
want to give businesses flexibility in regard to how they deliver
that compliance, so that, for instance, they do not have to
employ a data protection officer.
(Ceredigion) (PC)
I am grateful to the Minister for being so generous with her
time. May I ask whether the Government intend to maintain data
adequacy with the EU? I only ask because I have been contacted by
some business owners who are concerned about the possible loss of
EU data adequacy and the cost that might be levied on them as a
result.
I thank the hon. Gentleman for pressing me on that important
point. I know that many businesses are seeking to maintain
adequacy. If we want a business-friendly regime, we do not want
to create regulatory disruption for businesses, particularly
those that trade with Europe and want to ensure that there is a
free flow of data. I can reassure him that we have been in
constant contact with the European Commission about our
proposals. We want to make sure that there are no surprises. We
are currently adequate, and we believe that we will maintain
adequacy following the enactment of the Bill.
(Salford and Eccles)
(Lab)
I was concerned to hear from the British Medical Association that
if the EU were to conclude that data protection legislation in
the UK was inadequate, that would present a significant problem
for organisations conducting medical research in the UK. Given
that so many amazing medical researchers across the UK currently
work in collaboration with EU counterparts, can the Minister
assure the House that the Bill will not represent an inadequacy
in comparison with EU legislation as it stands?
I hope that my previous reply reassured the hon. Lady that we
intend to maintain adequacy, and we do not consider that the Bill
will present a risk in that regard. What we are trying to do,
particularly in respect of medical research, is make it easier
for scientists to innovate and conduct that research without
constantly having to return for consent when it is apparent that
consent has already been granted for particular medical data
processing activities. We think that will help us to maintain our
world-leading position as a scientific research powerhouse.
Alongside new data bridges, the Secretary of State will be able
to recognise new transfer mechanisms for businesses to protect
international transfers. Businesses will still be able to
transfer data across borders with the compliance mechanisms that
they already use, avoiding needless checks and costs. We are also
delighted to be co-hosting, in partnership with the United
States, the next workshop of the global cross-border privacy
rules forum in London this week. The CBPR system is one of the
few existing operational mechanisms that, by design, aims to
facilitate data flows on a global scale.
World-class research requires world-class data, but right now
many scientists are reluctant to get the data they need to get on
with their research, for the simple reason that they do not know
how research is defined. They can also be stopped in their tracks
if they try to broaden their research or follow a new and
potentially interesting avenue. When that happens, they can be
required to go back and seek permission all over again, even
though they have already gained that permission earlier to use
personal data. We do not think that makes sense. The pandemic
showed that we cannot risk delaying discoveries that could save
lives. Nothing should be holding us back from curing cancer,
tackling disease or producing new drugs and treatments. This Bill
will simplify the legal requirements around research so that
scientists can work to their strengths with legal clarity on what
they can and cannot do.
The Bill will also ensure that people benefit from the results of
research by unlocking the potential of transformative
technologies. Taking artificial intelligence as an example, we
have recently published our White Paper: “AI regulation: a
pro-innovation approach”. In the meantime, the Bill will ensure
that organisations know when they can use responsible automated
decision making and that people know when they can request human
intervention where those decisions impact their lives, whether
that means getting a fair price for the insurance they receive
after an accident or a fair chance of getting the job they have
always wanted.
I spoke earlier about the currency of trust and how, by
maintaining it through high data protection standards, we are
likely to see more data sharing, not less. Fundamental to that
trust will be confidence in the robustness of the regulator. We
already have a world-leading independent regulator in the
Information Commissioner’s Office, but the ICO needs to adapt to
reflect the greater role that data now plays in our lives
alongside its strategic importance to our economic
competitiveness. The ICO was set up in the 1980s for a completely
different world, and the pace, volume and power of the data we
use today has changed dramatically since then.
It is only right that we give the regulator the tools it needs to
keep pace and to keep our personal data safe while ensuring that,
as an organisation, it remains accountable, flexible and fit for
the modern world. The Bill will modernise the structure and
objectives of the ICO. Under this legislation, protecting our
personal data will remain the ICO’s primary focus, but it will
also be asked to focus on how it can empower businesses and
organisations to drive growth and innovation across the UK, and
support public trust and confidence in the use of personal
data.
The Bill is also important for consumers, helping them to share
less data while getting more product. It will support smart data
schemes that empower consumers and small businesses to make
better use of their own data, building on the extraordinary
success of open banking tools offered by innovative businesses,
which help consumers and businesses to manage their finances and
spending, track their carbon footprint and access credit.
(Strangford) (DUP)
The Minister always delivers a very solid message and we all
appreciate that. In relation to the high data protection
standards that she is outlining, there is also a balance to be
achieved when it comes to ensuring that there are no unnecessary
barriers for individuals and businesses. Can she assure the House
that that will be exactly what happens?
I am always happy to take an intervention from the hon. Member. I
want to assure him that we are building high data protection
standards that are built on the fundamental principles of the
GDPR, and we are trying to get the right balance between high
data protection standards that will protect the consumer and
giving businesses the flexibility they need. I will continue this
conversation with him as the Bill passes through the House.
(Weaver Vale) (Lab)
I thank the Minster for being so generous with her time. With
regard to the independent commissioner, the regulator, who will
set the terms of reference? Will it be genuinely independent? It
seems to me that a lot of power will fall on the shoulders of the
Secretary of State, whoever that might be in the not-too-distant
future.
The Secretary of State will have greater powers when it comes to
some of the statutory codes that the ICO adheres to, but those
powers will be brought to this House for its consent. The whole
idea is to make the ICO much more democratically accountable. I
know that concern about the independence of the regulator has
been raised as we have been working up these proposals, but I
wish to assure the House that we do not believe those concerns to
be justified or legitimate. The Bill actually has the strong
support of the current Information Commissioner, .
The Bill will also put in place the foundations for data
intermediaries, which are organisations that can help us to
benefit from our data. In effect, we will be able to share less
sensitive data about ourselves with businesses while securing
greater benefits. As I say, one of the examples of this is open
banking. Another way in which the Bill will help people to take
back control of their data is by making it easier and more secure
for people to prove things about themselves once, electronically,
without having to dig out stacks of physical documents such as
passports, bills, statements and birth certificates and then
having to provide lots of copies of those documents to different
organisations. Digital verification services already exist, but
we want consumers to be able to identify trustworthy providers by
creating a set of standards around them.
The Bill is designed not just to boost businesses, support
scientists and deliver consumer benefits; it also contains
measures to keep people healthy and safe. It will improve the way
in which the NHS and adult social care organise data to deliver
crucial health services. It will let the police get on with their
jobs by allowing them to spend more time on the beat rather than
on pointless paperwork. We believe that this will save up to 1.5
million hours of police time each year—
(Loughborough) (Con)
Hear, hear.
I know that my hon. Friend has been passionate on this point, and
we are looking actively into her proposals.
We are also updating the outdated system of registering births
and deaths based on paper processes from the 19th century.
Data has become absolutely critical for keeping us healthy, for
keeping us safe and for growing an economy with innovative
businesses, providing jobs for generations to come. Britain is at
its best when its businesses and scientists are at theirs. Right
now, our rules risk holding them back, but this Bill will change
that because it was co-designed with those businesses and
scientists and with the help of consumer groups. Simpler, easier,
clearer regulation gives the people using data to improve our
lives the certainty they need to get on with their jobs. It
maintains high standards for protecting people’s privacy while
seeking to maintain our adequacy with the EU. Overall, this
legislation will make data more useful for more people and more
usable by businesses, and it will enable greater innovation by
scientists. I commend the Bill to the House.
6.26pm
(Manchester Central)
(Lab/Co-op)
It is good finally to get the data Bill that was promised so long
ago. We nearly got there in the halcyon days of September 2022,
under the last Prime Minister, after it had been promised by the
Prime Minister before. However, the Minister has a strong record
of bringing forward and delivering things that the Government
have long promised. I also know that she has another special
delivery coming soon, which I very much welcome and wish her all
the best with. She took a lot of interventions and I commend her
for all that bobbing up and down while so heavily pregnant. I
would also like to send my best wishes to the Secretary of State,
who let me know that she could not be here today. I would also
like to wish her well with her imminent arrival. There is lots of
delivery going on today.
We are in the midst of a digital and data revolution, with data
increasingly being the most prized asset and fundamental to the
digital age, but this Bill, for all its hype, fails to meet that
moment. Even since the Bill first appeared on the Order Paper
last September, AI chatbots have become mainstream, TikTok has
been fined for data breaches and banned from Government devices,
and AI image generators have fooled the world into thinking that
the Pope had a special papal puffer coat. The world, the economy,
public services and the way we live and communicate are changing
fast. Despite these revolutions, this data Bill does not rise to
the challenges. Instead, it tweaks around the edges of GDPR,
making an already dense set of privacy rules even more
complex.
The UK can be a global leader in the technologies of the future.
We are a scientific superpower, we have some of the world’s best
creative industries and now, outside the two big trading blocs,
we could have the opportunities of nimbleness and being in the
vanguard of world-leading regulation. In order to harness that
potential, however, we need a Government who are on the pitch,
setting the rules of the game and ensuring that the benefits of
new advances are felt by all of us and not just by a handful of
companies. The Prime Minister can tell us again how much he loves
maths, but without taking the necessary steps to support the data
and digital economy, his sums just do not add up.
The contents of this Bill might seem technical—as drafted, they
are incredibly technical—but they matter greatly to every
business, consumer, citizen and organisation. As such, data is a
significant source of power and value. It shapes the relationship
between business and consumers, between the state and citizens,
and much, much more. Data information is critical to innovation
and economic growth, to modern public services, to democratic
accountability and to transforming societies, if harnessed and
shaped in the interest of the many, not simply the few—pretty
major, I would say.
Now we have left the EU, the UK has an opportunity to lead the
world in this area. The next generation of world-leading
regulation could allow small businesses and start-ups to compete
with the monopolies in big tech, as we have already heard. It
could foster a climate of open data, enable public services to
use and share data for improved outcomes, and empower consumers
and workers to have control over how their data is used. In the
face of this huge challenge, the Bill is at best a missed
opportunity, and at worst adds another complicated and uncertain
layer of bureaucracy. Although we do not disagree with its aims,
there are serious questions about whether the Bill will, in
practice, achieve them.
Data reform and new regulation are welcome and long overdue. Now
that we have left the EU, we need new legislation to ensure that
we both keep pace with new developments and make the most of the
opportunities. The Government listened to some of the concerns
raised in response to the consultation and removed most of the
controversial and damaging proposals. GDPR has been hard to
follow for some businesses, especially small businesses and
start-ups, so streamlining and simplifying data protection rules
is a welcome aim. However, we will still need some of them to
meet EU data adequacy rules.
The aim of shifting away from tick-box exercises towards a more
proactive and systematic approach to regulation is also good.
Better and easier data sharing between public services is
essential, and some of the changes in that area are welcome,
although we will need assurances that private companies will not
benefit commercially from personal health data without people’s
say so. Finally, nobody likes nuisance calls or constant cookie
banners, and the moves to reduce or remove them are welcome,
although there are questions about whether the Bill lives up to
the rhetoric.
In many areas, however, the Bill threatens to take us backwards.
First, it may threaten our ability to share data with the EU,
which would be seriously bad for business. Given the astronomical
cost to British businesses should data adequacy with the EU be
lost, businesses and others are rightly looking for more
reassurances that the Bill will not threaten these arrangements.
The EU has already said that the vast expansion of the Secretary
of State’s powers, among other things, may put the agreement in
doubt. If this were to come to pass, the additional burdens on
any business operating within the EU, even vaguely, would be
enormous.
British businesses, especially small businesses, have faced
crisis after crisis. Many only just survived through covid and
are now facing rising energy bills that threaten to push them
over the edge. According to the Information Commissioner,
“most organisations we spoke to had a plea for continuity.”
The Government must go further on this.
Secondly, the complex new requirements in this 300-page Bill
threaten to add more hurdles, rather than streamlining the
process. Businesses have serious concerns that, having finally
got their head around GDPR, they will now have to comply with
both GDPR and all the new regulations in this Bill. That is not
cutting red tape, in my view.
Thirdly, the Bill undermines individual rights. Many of the areas
in which the Bill moves away from GDPR threaten to reduce
protection for citizens, making it harder to hold to account the
big companies that process and sell our data. Subject access
requests are being diluted, as the Government are handing more
power to companies to refuse such requests on the grounds of
being excessive or vexatious. They are tilting the rules in
favour of the companies that are processing our data. Data
protection impact assessments will no longer be needed, and
protections against automated decision making are being
weakened.
AlgorithmWatch explains that automated decision making is “never
neutral.” Outputs are determined by the quality of the data that
is put into the system, whether that data is fair or biased.
Machine learning will propagate and enhance those differences,
and unfortunately it already has. Is my hon. Friend concerned
that the Bill removes important GDPR safeguards that protect the
public from algorithmic bias and discrimination and, worse,
provides Henry VIII powers that will allow the Secretary of State
to make sweeping regulations on whether meaningful human
intervention is required at all in these systems?
My hon. Friend makes two very good points, and I agree with her
on both. I will address both points in my speech.
Taken together, these changes, alongside the Secretary of State’s
sweeping new powers, will tip the balance away from individuals
and workers towards companies, which will be able to collect far
more data for many more purposes. For example, the Bill could
have a huge impact on workers’ rights. There are ever more ways
of tracking workers, from algorithmic management to recruitment
by AI. People are even being line managed by AI, with holiday
allocation, the assignment of roles and the determination of
performance being decided by algorithm. This is most serious when
a low rating triggers discipline or dismissal. Transparency and
accountability are particularly important given the power
imbalance between some employers and workers, but the Bill
threatens to undermine them.
If a person does not even know that surveillance or algorithms
are being used to determine their performance, they cannot
challenge it. If their privacy is being infringed to monitor
their work, that is a harm in itself. If a worker’s data is being
monetised by their company, they might not even know about it,
let alone see a cut. The Bill, in its current form, undermines
workers’ ability to find out what data is held about them and how
it is being used. The Government should look at this again.
The main problem, however, is not what is in the Bill but,
rather, what is not. Although privacy is, of course, a key issue
in data regulation, it is not the only issue. Seeing regulation
only through the lens of privacy can obscure all the ways that
data can be used and can impact on communities. In modern data
processing, our data is not only used to make decisions about us
individually but pooled together to analyse trends and predict
behaviours across a whole population. Using huge amounts of data,
companies can predict and influence our behaviour. From Netflix
recommendations to recent examples of surge pricing in music and
sports ticketing, to the monitoring of covid outbreaks, the true
power of data is in how it can be analysed and deployed. This
means the impact as well as the potential harms of data are felt
well beyond the individual level.
Moreover, as we heard from my hon. Friend the Member for Salford
and Eccles (), the algorithms that
analyse data often replicate and further entrench society’s
biases. Facial recognition that is trained on mostly white faces
will more likely misidentify a black face—something that I know
the parliamentary channel sometimes struggles with. AI language
bots produce results that reflect the biases and limitations of
their creators and the data on which they are trained. This Bill
does not take on any of these community and societal harms. Who
is responsible when the different ways of collecting and using
data harm certain groups or society as a whole?
As well as the harms, data analytics offers huge opportunities
for public good, as we have heard. Opening up data can ensure
that scientists, public services, small businesses and citizens
can use data to improve all our lives. For example, Greater
Manchester has, over the years, linked data across a multitude of
public services to hugely improve our early years services, but
this was done entirely locally and in the face of huge barriers.
Making systems and platforms interoperable could ensure that
consumers can switch services to find the best deal, and it could
support smaller businesses to compete with existing giants.
Establishing infrastructure such as a national research cloud and
data trusts could help small businesses and not-for-profit
organisations access data and compete with the giants. Citymapper
is a great example, as it used Transport for London’s open data
to build a competitor to Google Maps in London. Open approaches
to data will also provide better oversight of how companies use
algorithms, and of the impact on the rest of us.
Finally, where are the measures to boost public trust? After the
debacle of the exam algorithms and the mishandling of GP data,
which led millions of people to withdraw their consent, and with
workers feeling the brunt but none of the benefits of
surveillance and performance management, we are facing a crisis
in public trust. Rather than increasing control over and
participation in how our data is used, the Bill is removing even
the narrow privacy-based protections we already have. In all
those regards, it is a huge missed opportunity.
To conclude, with algorithms increasingly making important
decisions about how we live and work, data protection has become
ever more important to ensure that people have knowledge,
control, confidence and trust in how and why data is being used.
A data Bill is needed, but we need one that looks towards the
future and harnesses the potential of data to grow our economy
and improve our lives. Instead, this piecemeal Bill tinkers
around the edges, weakens our existing data protection regime and
could put our EU adequacy agreement at risk. We look forward to
addressing some of those serious shortcomings in Committee.
6.40pm
Sir (Maldon) (Con)
I welcome the Bill. I am delighted that it finally takes
advantage of one of the freedoms that has resulted from our
leaving the European Union, which I supported at the time and
continue to support. As has been indicated, the Bill has had a
long gestation. I was the Minister at the time of the issue of
the consultation paper in September 2021 and the Bill first
appeared a year later. As the Opposition spokesman pointed out, a
small hiccup delayed it a bit further.
Our current data protection laws originate almost entirely from
the EU and are based on GDPR. Before the adoption of GDPR in
2016, the UK Government opposed parts of it. I recall that the
assessment at the time was that, although there were benefits to
larger companies, there would be substantial costs for smaller
firms and indeed that has been borne out. There was a debate in
government about whether we should oppose the GDPR regulation
when it was going through the process of the Commission
formation. As so often was the case in the EU, we were advised
that, if we opposed that, we would lose vital leverage and our
ability to influence its development. Whether we were able then
to influence its development is arguable, but it was decided that
we should not outright oppose it. However, it has always been
clear that the one-size-fits-all GDPR that currently is in place
imposes significant costs on smaller firms. When we had the
consultation in 2021, smaller firms in particular complained
about the complexity of GDPR, and the uncertainty and cost that
it imposed. Clearly, there was seen to be an opportunity to
streamline it—not to remove it, but to make it simpler and more
understandable, and to reduce some of the burdens it imposes. We
now have that opportunity to diverge.
The other thing that came back from the consultation—I agree with
the Opposition Members who have raised this point—was that there
is an advantage in the UK’s retaining data adequacy with the EU.
It was not taken for granted that we would get data adequacy. A
lengthy negotiation with the EU took place before a data adequacy
agreement was reached. As part of that process, officials rightly
looked at what alternative there would be, should we not be
granted data adequacy. It became clear that there are ways around
it. Standard contractual clauses and alternative transfer
mechanisms would allow companies to continue to exchange data. It
would be a little more complicated. They would need to write the
clauses into contracts. For that reason, there was clearly a
value in having a general data adequacy agreement, but one should
not think that the loss of data adequacy would be a complete
disaster because, as I say, there are ways around it.
The Government are right to look at additional adequacy
agreements with countries outside the EU, because therein lies a
great opportunity. The EU has managed to conclude some, but not
that many, and the Government have rightly identified a number of
target countries where we see benefits from achieving data
adequacy agreements. It is perfectly possible for us to diverge
to a limited extent from GDPR and still retain adequacy. Notably,
the EU recognises New Zealand’s regime as being adequate, even
though New Zealand’s data protection laws are different from
those of the EU. The fact that we decided to appoint the former
New Zealand Information Commissioner as our own Information
Commissioner means that he brings a particular degree of
knowledge about that, which will be very useful.
In considering data protection law, it is sometimes said that
there is a conflict between privacy—the right of consumers to
have protection of their data—and the innovation and growth
opportunities of technology companies. I do not believe that that
is true; the two things have to be integral parts of our data
protection laws. If people believe that their privacy is at risk,
they will not trust the exchange of data. One problem is that, in
general, people read only about the problems that arise,
particularly from things such as identity theft, hacks and the
loss of data as a result of people leaving memory sticks on
phones or of cyber-criminals hacking into large databases and
taking all their financial information. All those things are a
genuine risk, but they present only one side of the picture and,
in general, people reach their view about the importance of data
protection according to all the risk, without necessarily seeing
the real benefits that come from the free exchange of data. That
was perhaps the lesson that covid showed us more than any other:
by allowing the exchange of data, it allowed us to develop and
research vaccines. We were able to research what worked in terms
of prevention and the various measures that could be taken to
protect consumers from getting covid. Therefore, covid was the
big demonstration of the fact that data exchange can bring real
benefits to all consumers. We are just on the threshold—
Further to my right hon. Friend’s point about facilitating a
trusted mechanism for sharing data, does he agree that the huge
global success of open banking in this country has demonstrated
that a trust framework not only makes people much more willing to
exchange their data but frees up the economy and creates a
world-leading sector at the same time?
Sir
I agree with my hon. Friend on that. The use of smart data in
open banking demonstrates the benefits that can flow from its
use, and that example could be replicated in a large number of
other sectors to similar benefit. I hope that that will be one
benefit that will eventually flow from the changes we are
making.
As I say, we are on the threshold of an incredibly exciting time.
The use of artificial intelligence and automated decision making
will bring real consumer benefits, although, of course,
safeguards must be built in. The question of algorithmic bias was
looked at by the Centre for Data Ethics and Innovation and there
was evidence there. Obviously, we need to take account of that
and build in protections against it, but, in general, the
opportunities that can flow from making data more easily
available are enormous.
I wish to flag up a couple of things. People have long found
pop-up banner cookies deeply irritating. They have become
self-defeating, because they are so ubiquitous that everybody
just presses “yes”. The whole point of them was to acquire
informed consent, but that is undermined if everybody is
confronted by these things every time they log on to the internet
and they automatically press “yes” without properly reading what
they are consenting to. Restricting them to cookies that
represent intrusive acquisition of data and explaining that to
people and requiring consent is clearly an improvement. That will
not only make data exchange easier but increase consumer
protection, as people will know that they are being asked to give
consent because they may choose not to allow their data to be
used.
I understand the concerns that have been expressed about the Bill
in some areas, particularly about the powers that will be given
to the Secretary of State, but this is a complicated area. It is
also one where technology is moving very fast. We need flexible
legislation to keep up to date with the development of
technology, so, to some extent, secondary legislation is probably
the right way forward. We will debate these matters in Committee,
but, generally, the Bill will help to deliver the Government’s
declared intention, which is to make the UK the most successful
data-driven technology economy in the world.
6.50pm
(Glasgow North West)
(SNP)
We can all agree that the free flow of personal data across
borders is essential to the economy, not just within the UK but
with other countries, including our biggest trading partner, the
EU. Reforms to our data protection framework must have
appropriate safeguards in place to ensure that we do not put
EU-UK data flows at risk.
Despite the Government’s promises of reforms to empower people in
the use of their data, the Bill instead threatens to undermine
privacy and data protection. It potentially moves the UK away
from the “adequacy” concept in the EU GDPR, and gives weight to
the idea that different countries can maintain data protection
standards in different but equally effective ways. The only way
that we can properly maintain standards is by having a standard
across the different trading partners, but the Bill risks
creating a scenario where the data of EU citizens could be passed
through the UK to countries with which the EU does not have an
agreement. The changes are raising red flags in Europe. Many
businesses have spoken out about the negative impacts of the
Bill’s proposals. Many of them will continue to set their
controls to EU standards and operate on EU terms to ensure that
they can continue to trade there.
According to conservative estimates, the loss of the adequacy
agreement could cost £1.6 billion in legal fees alone. That
figure does not include the cost resulting from disruption of
digital trade and investments. The Open Rights Group says:
“Navigating multiple data protection regimes will significantly
increase costs and create bureaucratic headaches for
businesses.”
Although I understand that the Bill is an attempt to reduce the
bureaucratic burden for businesses, we are now potentially asking
those businesses to operate with two different standards, which
will cause them a bigger headache. It would be useful if the
Government confirmed that they have sought legal advice on the
adequacy impact of the Bill, and that they have confirmed with EU
partners that the EU is content that the Bill and its provisions
will not harm EU citizens or undermine the trade and co-operation
agreement with the EU.
Several clauses of the Bill cause concern. We need more clarity
on those that expand the powers of the Home Secretary and the
police, and we will require much further discussion on them in
Committee. Given what has been revealed over the past few months
about the behaviour of some members of the Metropolitan police,
there are clauses in the Bill that should cause us concern. A
national security certificate that would give the police immunity
when they commit crimes by using personal data illegally would
cause quite a headache for many of us. The Government have not
tried to explain why they think that police should be allowed to
operate in the darkness, which they must now rectify if they are
to improve public trust.
The Bill will also expand what counts as an “intelligence
service” for the purposes of data protection law, again at the
Home Secretary's discretion. The Government argue that this would
create a “simplified” legal framework, but, in reality, it will
hand massive amounts of people’s personal information to the
police. This could include the private communications as well as
information about an individual’s health, political belief,
religious belief or sex life.
The new “designation notice” regime would not be reviewable by
the courts, so Parliament might never find out how and when the
powers have been used, given that there is no duty to report to
Parliament. The Home Secretary is responsible for both approving
and reviewing designation notices, and only a person who is
“directly affected” by a such a notice will be able to challenge
it, yet the Home Secretary would have the power to keep the
notice secret, meaning that even those affected would not know it
and therefore could not possibly challenge it.
These are expansive broadenings of the powers not only of the
Secretary of State, but of the police and security services. If
the UK Government cannot adequately justify these powers, which
they have not done to date, they must be withdrawn or, at the
very least, subject to meaningful parliamentary oversight.
Far from giving people greater power over their data, the Bill
will stop the courts, Parliament and individuals from challenging
illegal uses of data. Under the Bill, organisations can deny or
charge a fee to individuals for the right to access information.
The right hon. Member for New Forest East (Sir ) mentioned the difficulty he
had with a constituent. I think we can all have some sympathy
with that, because many of us have probably experienced similar
requests from members of the public. However, it is the public’s
right to have access to the data that we hold. If an organisation
decides that these requests are “vexatious or excessive”, they
can refuse them, but what is “vexatious or excessive”? These
words are vague and open to interpretation. Moreover, charging a
fee will create a barrier for some people, particularly those on
lower incomes, and effectively restricts control of data to more
affluent citizens.
The Bill changes current rules that prevent companies and the
Government from making solely automated decisions about
individuals that could have legal or other significant effects on
their lives. We have heard a lot about the potential benefits of
AI and how it could be used to enhance our lives, but for public
trust and buy-in of AI, we need to know that there is some
oversight. Without that, there will always be a question hanging
over it. The SyRI case in the Netherlands involved innocuous
datasets such as household water usage being used by an automated
system to accuse individuals of benefit fraud.
The Government consultation response acknowledges that, for
respondents,
“the right to human review of an automated decision was a key
safeguard”.
But despite the Government acknowledging the importance of a
human review in an automated decision, clause 11, if implemented,
would mean that solely automated decision making is permitted in
a wider range of contexts. Many of us get excited about AI, but
it is important to acknowledge that AI still makes mistakes.
The Bill will allow the Secretary of State to approve
international transfers to countries with weak data protection,
so even if the Bill does not make data security in the UK weaker,
it will weaken the protections of UK citizens’ data by allowing
it to be transferred abroad in cases with lower safeguards.
It is useful to hear a couple of stakeholder responses. The
Public Law Project has said:
“The Data Protection and Digital Information (No.2) Bill would
weaken important data protection rights and safeguards, making it
more difficult for people to know how their data is being
used”.
The Open Rights Group has said:
“The government has an opportunity to strengthen the UK’s data
protection regime post Brexit. However, it is instead setting the
country on a dangerous path that undermines trust, furthers
economic instability, and erodes fundamental rights.”
Since we are talking about a Bill under the Department for
Science, Innovation and Technology, it is important to hear from
the Royal Society, which says that losing adequacy with the EU
would be damaging for scientific research in the UK, creating new
costs and barriers for UK-EU research collaborations. While the
right hon. Member for Maldon (Sir ) is right about the
importance of being able to share data, particularly scientific
data—and we understand the importance of that for things such as
covid vaccines—we need to make sure this Bill does not set up
further hurdles that could prevent that.
There is probably an awful lot for us to thrash out in Committee.
The SNP will not vote against Second Reading tonight, but I
appeal to those on the Government Front Bench to give an
opportunity for hon. Members to amend and discuss this Bill
properly in Committee.
7.01pm
(Folkestone and Hythe)
(Con)
I am delighted to speak in support of this long-awaited Bill. It
is a necessary piece of legislation to learn the lessons from
GDPR and look at how we can improve the system, both to make it
easier for businesses to work with and to give users and citizens
the certainty they need about how their data will be processed
and used.
In bringing forward new measures, the Bill in no way suggests
that we are looking to move away from our data adequacy
agreements with the European Union. Around the world, in north
America, Europe, Australia and elsewhere in the far east, we see
Governments looking at developing trusted systems for sharing and
using data and for allowing businesses to process data across
international borders, knowing that those systems may not be
exactly the same, but they work to the same standards and with
similar levels of integrity. That is clearly the direction that
the whole world wants to move in and we should play a leading
role in that.
I want to talk briefly about an important area of the Bill:
getting the balance between data rights and data safety and what
the Bill refers to as the “legitimate interest” of a particular
business. I should also note that this Bill, while important in
its own right, sits alongside other legislation—some of it to be
introduced in this Session and some of it already well on its way
through the Parliamentary processes—dealing with other aspects of
the digital world. The regulation of data is an aspect of digital
regulation; it is in some ways the fuel that powers the digital
experience and is relevant to other areas of digital life as
well.
To take one example, we have already established and implemented
the age-appropriate design code for children, which principally
addresses the way data is gathered from children online and used
to design services and products that they use. As this Bill goes
through its parliamentary stages, it is important that we
understand how the age-appropriate design code is applied as part
of the new data regime, and that the safeguards set out in that
code are guaranteed through the Bill as well.
There has been a lot of debate, as has already been mentioned,
about companies such as TikTok. There is a concern that engineers
who work for TikTok in China, some of whom may be members of the
Chinese Communist party, have access to UK user data that may not
be stored in China, but is accessed from China, and are using
that data to develop products. There is legitimate concern about
oversight of that process and what that data might be used for,
particularly in a country such as China.
However, there is also a question about data, because one reason
the TikTok app is being withdrawn from Government devices around
the world is that it is incredibly data-acquisitive. It does not
just analyse how people use TikTok and from that create data
profiles of users to determine what content to recommend to them,
although that is a fundamental part of the experience of using
it; it is also gathering, as other big apps do, data from what
people do on other apps on the same device. People may not
realise that they have given consent, and it is certainly not
informed consent, for companies such as TikTok to access data
from what they do on other apps, not just when they are
TikTok.
It is a question of having trusted systems for how data can be
gathered, and giving users the right to opt out of such data
systems more easily. Some users might say, “I’m quite happy for
TikTok or Meta to have that data gathered about what I do across
a range of services.” Others may say, “No, I only want them to
see data about what I do when I am using their particular
service, not other people’s.”
The Online Safety Bill is one of the principal ways in which we
are seeking to regulate AI now. There is debate among people in
the tech sectors; a letter was published recently, co-signed by a
number of tech executives, including Elon Musk, to say that we
should have a six-month pause in the development of AI systems,
particularly for large language models. That suggests a problem
in the near future of very sophisticated data systems that can
make decisions faster than a human can analyse them.
People such as Eric Schmidt have raised concerns about AI in
defence systems, where an aggressive system could make decisions
faster than a human could respond to them, to which we would need
an AI system to respond and where there is potentially no human
oversight. That is a frightening scenario in which we might want
to consider moratoriums and agreements, as we have in other areas
of warfare such as the use of chemical weapons, that we will not
allow such systems to be developed because they are so difficult
to control.
If we look at the application of that sort of technology closer
to home and some of the cases most referenced in the Online
Safety Bill, for example the tragic death of the teenager Molly
Russell, we see that what was driving the behaviour of concern
was data gathered about a user to make recommendations to that
person that were endangering their life. The Online Safety Bill
seeks to regulate that practice by creating codes and
responsibilities for businesses, but that behaviour is only
possible because of the collection of data and decisions made by
the company on how the data is processed.
This is where the Bill also links to the Government’s White Paper
on AI, and this is particularly important: there must be an onus
on companies to demonstrate that their systems are safe. The onus
must not just be on the user to demonstrate that they have
somehow suffered as a consequence of that system’s design. The
company should have to demonstrate that they are designing
systems with people’s safety and their rights in mind—be that
their rights as a worker and a citizen, or their rights to have
certain safeguards and protections over how their data is
used.
Companies creating datasets should be able to demonstrate to the
regulator what data they have gathered, how that data is being
trained and what it is being used for. It should be easy for the
regulator to see and, if the regulator has concerns up-front, it
should be able to raise them with the company. We must try to
create that shift, particularly on AI systems, in how systems are
tested before they are deployed, with both safety and the
principles set out in the legislation in mind.
My hon. Friend makes a strong point about safety being designed,
but a secondary area of concern for many people is
discrimination—that is, the more data companies acquire, the
greater their ability to discriminate. For example, in an
insurance context, we allow companies to discriminate on the
basis of experience or behaviour; if someone has had a lot of
crashes or speeding fines, we allow discrimination. However, for
companies that process large amounts of data and may be making
automated decisions or otherwise, there is no openly advertised
line of acceptability drawn. In the future it may be that
datasets come together that allow extreme levels of
discrimination. For example, if they linked data science,
psychometrics and genetic data, there is the possibility for
significant levels of discrimination in society. Does he think
that, as well as safety, we should be emphasising that line in
the sand?
My right hon. Friend makes an extremely important point. In some
ways, we have already seen evidence of that at work: there was a
much-talked-about case where Amazon was using an AI system to aid
its recruitment for particular roles. The system noticed that men
tended to be hired for that role and therefore largely discarded
applications from women, because that was what the data had
trained it to do. That was clear discrimination.
There are very big companies that have access to a very large
amount of data across a series of different platforms. What sort
of decisions or presumptions can they make about people based on
that data? On insurance, for example, we would want safeguards in
place, and I think that users would want to know that safeguards
are in place. What does data analysis of the way in which someone
plays a game such as Fortnite—where the company is taking data
all the time to create new stimuli and prompts to encourage
lengthy play and the spending of money on the game—tell us about
someone’s attitude towards risk? Someone who is a risk taker
might be a bad risk in the eyes of an insurance company. Someone
who plays a video game such as Fortnite a lot and sees their
insurance premiums affected as a consequence would think, I am
sure, that that is a breach of their data rights and something to
which they have not given any informed consent. But who has the
right to check? It is very difficult for the user to see. That is
why I think the system has to be based on the idea that the onus
must rest on the companies to demonstrate that what they are
doing is ethical and within the law and the established
guidelines, and that it is not for individual users always to
demonstrate that they have somehow suffered, go through the
onerous process of proving how that has been done, and then seek
redress at the end. There has to be more up-front responsibility
as well.
Finally, competition is also relevant. We need to safeguard
against the idea of a walled garden for data meaning that
companies that already have massive amounts of data, such as
Google, Amazon and Meta, can hang on to what they have, while
other companies find it difficult to build up meaningful datasets
and working sets. When I was Chairman of the then Digital,
Culture, Media and Sport Committee, we considered the way in
which Facebook, as it then was, kicked Vine—a short-form video
sharing app—off its platform principally because it thought that
that app was collecting too much Facebook user data and was a
threat to the company. Facebook decided to deny that particular
business access to the Facebook platform. [Interruption.] I see
that the Under-Secretary of State for Science, Innovation and
Technology, my hon. Friend the Member for Sutton and Cheam
(), is nodding in an approving
way. I hope that he is saying silently that that is exactly what
the Bill will address to ensure that we do not allow companies
with big strategic market status to abuse their market power to
the detriment of competitive businesses.
7.11pm
(Bristol North West) (Lab)
I refer the House to my entry in the Register of Members’
Financial Interests.
The Bill has had a curious journey. It started life as the Data
Protection and Digital Information Bill, in search of the
exciting Brexit opportunities that we were promised, only to have
died and then arisen as the Data Protection and Digital
Information (No 2) Bill. In the Bill’s rejuvenated—and, dare I
say, less exciting—form, Ministers have rightly clawed back some
of the most high-risk proposals of its previous format,
recognising, of course, that our freedom from the European Union,
at least in respect of data protection, is anything but. We may
have left the European Union, but data continues to flow between
the EU and the United Kingdom, and that means of course that we
must keep the European Commission happy to maintain our adequacy
decision. For the most part, the Bill does not therefore
represent significant change from the existing GDPR framework.
There are some changes to paperwork and the appointment of
officers, but nothing radical.
With that settled—at least in my view—the question is this: what
is the purpose of this Bill? The Government aim to reduce
regulatory burdens on business. To give Ministers credit,
according to the independent assessment of the Regulatory Policy
Committee, they have adequately set out how that will
happen—unlike for other Government Bills in recent weeks. I
congratulate the Government on their so-called “co-design” with
stakeholders, which other Departments could learn from in
drafting legislation. But the challenge in reducing business
regulation and co-designing legislation with stakeholders is
knowing how much of an influence the largest, most wealthy voices
have over the smallest, least influential voices.
In this Bill—and, I suspect, in the competition Bill as its
relates to the digital markets unit, and, if rumours are correct,
the media Bill—that means the difference between the voice of big
tech and the voice of the people. If reports are correct, I share
concerns about the current influence of big tech specifically on
Downing Street and about the amount of interference by No. 10 in
the drafting of legislation in the Department. [Interruption.]
Ministers are shaking their heads; I am grateful for the
clarification. I am sure that the reporters at Politico are
watching.
Research is a good example of a concern in the Bill relating to
the balance between big tech and the people. When I was on the
pre-legislative committee of the Online Safety Bill—on which I
enjoyed working with the hon. Member for Folkestone and Hythe
(), who spoke before
me—everybody recognised the need for independent academics to
have access to data from, the social media companies, for
example, to help us understand the harms that can come from using
social media. The Europeans have progressed that in their EU
Digital Services Act, and even the Americans are starting to look
at legislation in that area. But in the Bill, Ministers have not
only failed to provide this access, but have opted instead to
give companies the right to use our data to develop their own
products. That means in practice that companies can now use the
data they have on us to understand how to improve their products,
primarily and presumably so that we use them more or—for
companies that rely on advertising income—to increase our
exposure to advertising, in order to create more profit for the
company.
All that is, we are told, in the name of scientific research.
That does not feel quite right to me. Why might Ministers have
decided that that was necessary—a public policy priority—or that
it is in any way in the interests of our constituents for
companies to be able to do corporate research on product design
without our explicit consent, instead of giving independent
academics the right to do independent research about online
harms, for example? The only conclusion I can come to is that it
is because Ministers were, in the co-design process, asked by big
tech to allow big tech to do that. I am not sure that consumers
would have agreed, and that seems to be an example of big tech
winning out in the Bill.
The second example relates to consumer rights and the ability of
consumers to bring complaints and have them dealt with in a
timely manner. Clause 7 allows for unreasonable delays by
companies or data controllers, especially those that have the
largest quantities of data on consumers. In practice, that once
again benefits big tech, which holds the most data. The time that
it can take to conclude a complaint under the Bill is remarkably
long and will merely act as a disincentive to bringing a
complaint in the first place.
It can take up to two months for a consumer or data subject to
request access to the data that a company holds on them, then
another two months for the company to confirm whether a complaint
will be accepted. If a complaint is not accepted, there will then
be up to another six months for the Information Commissioner to
decide whether the complaint should be accepted, and if the
Information Commissioner does decide that, the company then has
one more month to provide the data, which was originally asked
for nine months earlier. The consumer can then look at the data
and put in a complaint to the company. If the company does not
deal with the complaint, the earliest that the consumer can
complain to the Information Commissioner is month 14, and the
Information Commissioner will then have up to six months to
resolve the complaint. All in all, that is up to 20 months of
emails, forms, processes and decisions from multiple parties for
an individual consumer to have a complaint considered and
resolved.
That lengthy and complex complaints process also highlights the
risks associated with the provisions in the Bill relating to
automated decision making. Under current law, fully autonomous
decision making is prohibited where it relates to a significant
decision, but the Bill relaxes those requirements and ultimately
puts the burden on a consumer to successfully bring a complaint
against a company taking a decision about them in a wholly
automated way. Will an individual consumer really do that when it
could take up to 20 months? In the world we live in today, the
likes of Chat GPT and other large language models will
revolutionise customer service processes. The approach in the
Bill seems to fail in regulating for the future and,
unfortunately, deals with the past. I ask again: which
stakeholder group asked the Government to draft the law in this
complex and convoluted way? It certainly was not consumers.
In other regulated sectors and areas of law, such as consumer
law, we allow representative bodies to bring what the Americans
call “class actions” on behalf of groups of consumers whose
rights have been infringed. That process is perfectly normal and
exists in UK law today. Experience shows that representative
bodies such as Citizens Advice and Which? do not bring class
actions easily because it is too financially risky. They
therefore bring an action only when there is a clear and
significant breach. So why have Ministers not allowed for those
powers to exist for breaches of data protection law in the same
way that the European Union has, when we are very used to them
existing in UK law? Again, that feels like another win for big
tech and a loss for consumers. Reducing unnecessary compliance
burdens on business is of course welcome, but the Government seem
to have forgotten that data protection law is based on a
foundation of protecting the consumer, not being helpful to
business.
On a different subject, I highlight once again the ongoing creep
of powers being taken from Parliament and given to the Executive.
We have already heard about the powers for the Secretary of State
to make amendments to the legislation without following a full
parliamentary process. That keeps happening—not just in this Bill
but in other Bills this Session, including the Online Safety
Bill. My Committee, which has whole-of-Government scrutiny powers
in relation to good regulation, has reprimanded the
Department—albeit in its previous form—for the use of those Henry
VIII powers. It is disappointing to see them in use again.
The Minister, in response to my hon. Friend the Member for Weaver
Vale (), said that the Government
had enhanced oversight of the Information Commissioner by giving
themselves power to direct some of its legitimate interests or
decisions, or the content of codes. I politely point out that the
Information Commissioner regulates the Government’s use of our
data. It seems odd to me that the Government alone are being
given enhanced powers to scrutinise the Information Commissioner,
and that Parliament has not been given additional oversight; that
ought to be included.
The Government have yet to introduce any substantive legislation
on biometrics. Biometric data is the most personal type of data,
be it about our faces, our fingerprints, our voices or other
characteristics that are personal to our bodies. The Bill does
not even attempt to bring forward biometric-specific regulation.
My private Member’s Bill in the 2019-21 Session—now the Forensic
Science Regulator Act 2021—originally contained provisions for a
biometrics strategy and associated regulations. At the then
Minister’s insistence, I removed those provisions, having been
told that the Government were drafting a more wide-ranging
biometrics Bill, which we have not seen. That is especially
important in the light of the Government’s artificial
intelligence White Paper, as lots of AI is driven by biometric
data. We have had some debate on the AI White Paper, but it
warrants a whole debate, and I hope to secure a Westminster Hall
debate on it soon. We need to fully understand the context of the
AI White Paper as the Bill progresses through Committee and goes
to the other place.
I am conscious that I have had an unusual amount of time, so I
will finish by flagging two points, which I hope that the
Parliamentary Under-Secretary of State for Science, Innovation
and Technology will respond to in his summing-up. The first is
the age-appropriate design code. I think that we all agree in
this House that children should have more protection online than
other users. The age-appropriate design code, which we all
welcomed, is based on the foundation of GDPR. There are concerns
that the changes in the Bill, including to the rights of the
Secretary of State, could undermine the age-appropriate design
code. I invite the Minister to reassure us, when he gets to the
Dispatch Box, that the Government are absolutely committed to the
current form of the age-appropriate design code, despite the
changes in the Bill.
The last thing I invite the Minister to comment on is data
portability. It will drive competition if companies are forced to
allow us to download our data in a way that allows us to upload
it to another provider. Say I wanted to move from Twitter to
Mastodon; what if I could download my data from Twitter, and
upload it to Mastodon? At the moment, none of the companies
really allow that, although that was supposed to happen under
GDPR. The result is that monopolies maintain their status and
competitors struggle to get new customers. Why did the Government
not bring forward provision for improved data portability in the
Bill? To draw on a thread of my speech, I fear that it may be
because that is not in the interests of big tech, though it is in
the interests of consumers.
I doubt that I will be on the Bill Committee. I am sorry that I
will not be there with colleagues who seem to have already
announced that they will be on it, but I am sure that they will
all consider the issues that I have raised.
7.22pm
(Loughborough) (Con)
This Bill provides us with yet another opportunity to ensure that
our legal and regulatory frameworks are tailored to our needs and
specifications, now that we are free from the confines of EU law.
It is crucial that we have a data rights regime that maintains
the high data protection standards that the public expect, but it
must do so in a way that is not overly burdensome to businesses
and public services, and does not stifle innovation, growth and
productivity. The Bill will go a long way to achieving that, but
I would like to focus on one small aspect of it.
Announcing the First Reading of the Bill, the Secretary of State
stated that it would improve
“the efficiency of data protection for law enforcement and
national security partners encouraging better use of personal
data where appropriate to help protect the public. It provides
agencies with clarity on their obligations, boosting the
confidence of the public on how their data is being
used.”—[Official Report, 8 March 2023; Vol. 729, c. 20WS.]
That is a positive step forward for national security, but we are
missing a crucial opportunity to introduce further reforms that
will reduce administrative burdens on police forces across the
UK.
I recently met members of the Leicestershire Police Federation,
who informed me of the association’s concerns regarding part 3 of
the Data Protection Act 2018. Specifically, the Police Federation
is concerned about how the requirements of part 3 interact with
the Crown Prosecution Service’s “Director’s Guidance on
Charging”, which obliged the police to provide more information
to the CPS pre-charge. That information includes unused material,
digitally recovered material and third-party material, all of
which must be redacted in accordance with the Data Protection
Act.
Combined, the guidance’s requirements and the provisions of the
Act represent a huge amount of administrative work for police
officers, who would have to spend hours making the necessary
redactions. Furthermore, much of that work may never be used by
the CPS if no charge is brought, or the defendant pleads guilty
before trial. Nationally, around 25% of cases submitted to the
CPS result in no charge. This desk-based work would remove police
officers from the frontline.
Picture the scene of an incident. Say that 10 police officers
attend, all turning on their body cameras as they arrive. They
deal with different aspects of the incident; they talk to a
variety of people and take statements, standing in different
positions that result in different backgrounds to the video
footage and different side-conversations being captured. The lead
officer then spends hours, if not days, redacting all the written
data and video footage generated by all the officers, only for
the redacted data to be sent to a perfectly trusted source, the
CPS, which will not necessarily take the case forward.
The data protection Bill is meant to update and simplify the data
protection framework used by bodies in the UK. The Bill refers to
the work of the police in national security situations, but it
should also cover their day-to-day work as a professional body.
They should be able to share their data with the CPS, another
professional body. Both have a legitimate interest in accessing
and sharing the data collected. My hon. Friend the Minister for
Data and Digital Infrastructure will know that this is an issue,
as I have already raised it with her. I am very grateful for her
considered response, and for the Government’s commitment to
looking into this matter further, including in the context of
this Bill, and at whether the Police Federation’s idea of a data
bubble between the police service and the CPS is a workable
solution.
I look forward to working with the Government on the issue. It is
vital that we do what we can to ease the administrative burden on
police officers, so that we can free up thousands of policing
hours every year and get police back to the frontline, where they
can support communities and tackle crime. Speaking of easing
burdens, may I also take this opportunity to wish my hon. Friend
the Minister the very best with the arrival that is expected in,
I suspect, the none-too-distant future?
7.26pm
(Cambridge) (Lab)
My interest in this debate comes from my representing a science
and research city, where data, and transferring it, is key, and
from my long-term background in information technology. Perhaps
as a consequence of both, back in 2018 I was on the Bill
Committee that had the interesting task of implementing GDPR,
even though, as my hon. Friend the Member for Bristol North West
()—my good friend—pointed out at
the time, none of us had the text in front of us. I think he
perhaps had special access to it. In those long and complicated
discussions, there were times when I was not entirely sure that
anyone in the room fully gripped the complexity of the
issues.
I recall that my right hon. Friend the Member for Birmingham,
Hodge Hill () persistently called for a
longer-term vision that would meet the fast-changing challenges
of the digital world, and Labour Members constantly noted the
paucity of resources available to the Information Commissioner’s
Office to deal with those challenges, notwithstanding
yellow-vested people entering offices. Five years on, I am not
sure that much has changed, because the Bill before us is still
highly technical and detailed, and once again the key issues of
the moment are being dodged.
I was struck by the interesting conversations on the Conservative
Benches, which were as much about what was not being tackled by
the Bill as what is being tackled —about the really hot issues
that my hon. Friend the Member for Manchester Central () mentioned in her Front-Bench
speech, such as ChatGPT and artificial intelligence. Those are
the issues of the moment, and I am afraid that they are not
addressed in the Bill. I make the exact point I made five years
ago: there is the risk of hard-coding previous prejudice into
future decision making. Those are the issues that we should be
tackling.
I chair the all-party parliamentary group on data analytics,
which is carrying out a timely review of AI governance. I draw
Members’ attention to a report made by that group, with the help
of my hon. Friend the Member for Bristol North West, called
“Trust, Transparency and Technology”. It called for, among other
things, a public services licence to operate, and transparent,
standardised ethics and rules for public service providers such
as universities, police, and health and care services, so that we
can try to build the public confidence that we so need. We also
called for a tough parliamentary scrutiny Committee, set up like
the Public Accounts Committee or the Environmental Audit
Committee, to make sure the public are properly protected. That
idea still has strong resonance today.
I absolutely admit that none of this is easy, but there are two
particular areas that I would like to touch on briefly. One,
which has already been raised, is the obvious one of data
adequacy. Again, I do not feel that the argument has really moved
on that much over the years. Many of the organisations producing
briefings for this debate highlight the risks, and back in
2018—as I think the right hon. Member for Maldon (Sir ) pointed out—there were
genuine concerns that we would not necessarily achieve an
adequacy agreement with the European Union. Frankly, it was
always obvious that this was going to be a key point in future
trade negotiations with the EU and others, and I am afraid that
that is the way it has played out.
It is no surprise that adequacy is often a top issue, because it
is so essentially important, but that of course means that we are
weakened when negotiation comes to other areas. Put crudely, to
get the data adequacy agreements we need, we are always going to
be trading away something else, and while in my opinion the EU is
always unlikely to withhold at the very end, the truth is that it
can, and it could. That is a pretty powerful weapon. On the
research issues, I would just like to ask the Minister whether,
in summing up, he could comment on the concerns that were raised
back in 2018 about the uncertainty for the research sector, and
whether he is confident that what is proposed now—in my view, it
should have been done then—can provide the clarity that is
needed.
On a more general note, one of the key Cambridge organisations
has pointed out to me that, in its view, it is quite hard to see
the point of this Bill for organisations that are operating
globally because, as the EU GDPR has extraterritorial effect,
they are still going to need to meet those standards for much of
what they do. It would simply be too complicated to try to apply
different legal regimes to different situations and people. That
is the basic problem with divergence: when organisations span
multiple jurisdictions, taking back control is frankly
meaningless. Effectively, it cedes control to others without
having any influence—the worst of all worlds. That organisation
also tells me that it has been led to believe by the Government,
as I think was echoed in some of the introductory points, that
any organisation wishing to carry on applying current legal
standards will, by default, meet those in the new Bill. It is
sceptical about that claim, and it would like some confirmation,
because it rightly wonders how that can be the case when new
concepts and requirements are introduced and existing ones
amended.
There is much, much more that could be said, has been said and
will be said by others, including genuine concerns about the
weakening of rights around subject access requests and some of
the protections around algorithmic unfairness. Those need to be
tested and scrutinised in Committee; frankly, too much cannot
just be left to ministerial judgment. Huge amounts of data are
now held about all of us, and the suspicion is rightly held that
decisions are sometimes made without our knowledge, decisions
that can have a direct impact on our lives. I think we can all
agree that data used well can be transformative and a power for
good, but that absolutely relies on confidence and trust, which
in turn requires a strong regulatory framework that engenders
that trust. It feels to me like this Bill fails to meet some of
those challenges. It needs to be strengthened and improved.
7.32pm
(Aberconwy) (Con)
It is a pleasure to follow the speech of the hon. Member for
Cambridge (), and in fact, I have
enjoyed listening to the various contributions about the many
aspects of the many-headed hydra that the data Bill represents.
In particular, the point made by the hon. Member for Manchester
Central () about interoperability and the
one made by the hon. Member for Glasgow North West () about hurdles are points I
will be returning to briefly.
I welcome the fact that we have a Bill that focuses on data. Data
is the new oil, as they say, and it is essential that we grapple
with the implications of that. If there is need of an example,
data was critical in our fight against covid-19. Data enabled the
rapid processing of new universal credit applications. Data meant
that we could target funds into business accounts quickly to make
sure that furlough payments were made. Data gave us regular
updates on infection rates, and data underpinned the research
into vaccines, their rapid roll-out, and their reporting to the
right people, at the right time and in the right place. We have
also seen that data on all those matters was questioned at every
step of the way then and continuously since.
Data matters. This Bill matters: it gives us an opportunity to
redefine our regulatory approach, as the hon. Member for
Cambridge alluded to. It also provides a clearer and more stable
framework for appropriate international transfers of personal
data—I stress the word “appropriate”. In addition, it is welcome
that the Bill extends data-sharing powers, enabling the targeting
of Government services to support business growth more
effectively and deliver joined-up public services, which will be
the thrust of my contribution. I also welcome the Bill’s delivery
of important changes to our everyday lives. Whether it is an
increase in financial penalties for those behind nuisance calls,
addressing the number of cookie pop-ups on web browsers that we
use every day, or providing a trusted framework for digital
verification services, these are important updates in protecting
everyday lives that are, in part, lived online now. That is to be
welcomed—provided, again, that the necessary safeguards are in
place.
I will give the bulk of my time to focusing on another area in
which I think the Bill could go much further. The Bill recognises
that, for public services to operate efficiently, safely and with
effective scrutiny, data should be collected, presented,
processed and shared in a consistent way, yet it is frustrating
that the current scope of the Bill is for such information
standards to apply in England only.
I am going to use health as an example to illustrate my point. In
Aberconwy, we are experiencing severe, systematic failings in the
delivery of health services across north Wales. The health board
has been under special measures for six of the past eight years,
and in their latest intervention, the Welsh Government have just
sacked the non-executive members of the board. It therefore comes
as little surprise that health is the No. 1 domestic concern for
constituents across north Wales, or that my constituents put it
into our plan for Aberconwy. This is not an exercise in point
scoring, but in this Bill, I see an opportunity to help to tackle
that problem. Wales is linked to the rest of the UK, historically
and today, on an east-west axis for family, business, leisure and
public services. Our health and social care services in north
Wales rely on working and sharing information with colleagues in
England—with hospitals in Chester, Stoke and Liverpool. However,
sharing that data, which relies on the interoperability that the
hon. Member for Manchester Central referred to, often presents an
obstacle to care.
Of course, I recognise and respect that health is a devolved
matter that is under the remit of the Welsh Government in Cardiff
Bay, but one of the arguments made in favour of Welsh devolution
25 years ago was that it would enable learning from comparisons
between different policy approaches across the UK, exposing
underperformance as well as celebrating successes. In order to do
so, though, we must have comparable and reliable data. If this
sounds familiar, I made exactly that point in the debate on the
Health and Care Bill back in November 2021. At that time, working
with hon. Friends from across north Wales, we showed that we had
overwhelming support from patients—they agreed that data must be
shared. The healthcare professionals we spoke to also agreed that
data needed to be shared. The IT experts we consulted with agreed
that data must and could be shared, and the local administrators,
community groups and civil servants we spoke to also told us that
data needed to be shared. However, the reality is that currently,
data in different parts of the UK is often not comparable, nor is
the timing of its publication aligned.
Again, I have focused today on health as a pressing and urgent
example of the need for sharing data, but these points apply
across our public services. Indeed, my hon. Friend the Member for
Loughborough () gave an excellent and powerful
practical example of how data sharing within the police
inadvertently introduces all sorts of unnecessary barriers. As
much as I have spoken about health, these points apply equally to
the education of our children, the wellbeing of our grandparents,
skilling our workforce, levelling up our communities, ensuring
fair and competitive environments for business across the UK, and
more—not least the future of our environment.
I repeat: good data is essential for good services. I recognise
the good work that is going on in the Office for National
Statistics, with the helpful co-operation of devolved
Administrations, but it is time and an opportunity for the
Government to consider amending the Bill in Committee to mandate
agreement on, and the collection and publication of, key UK-wide
data for public services. That data should be timely, accessible
and interoperable.
All Administrations will already hold data for the operation of
public services, but comparability and interoperability will
allow professionals and planners to assign resources and guide
interventions where they are needed most. It will allow patients
and users of public services to make informed decisions about
where to be treated, where to live and where to seek those
services. It will also allow politicians like me to be held to
account when services fail. I do not believe that such an
amendment would divide the House in compassion or in common
sense.
In conclusion, I know our Prime Minister understands the
importance of data. He seeks to put it at the heart of a modern,
innovative, dynamic and thriving UK, but it must be good data
that flows through our veins and to all parts of our nation if it
is to animate us and make the UK a success. For that reason, we
need to go further. We need to ensure data comparability and
interoperability across all parts of the UK. I look forward to
hearing the Minister’s closing remarks.
7.40pm
(Oxford West and Abingdon)
(LD)
I start by echoing the well wishes to the Secretary of State on
her imminent arrival. I am delighted to be here in my first
outing as the Lib Dem spokesperson for science, innovation and
technology, although in my mind I consider it as the spokesperson
for proud geeks. I appreciate that is not a term everyone likes,
but as a physics graduate and an MP for Oxford, where we have
many fellow-minded geeks, I am proud to call myself that.
Much as this important Bill is geeky and technical—it sounds like
it will be an interesting Bill Committee —it integrates into our
whole lives. People have spoken about the potential and progress,
and I agree to an extent with the comment from the hon. Member
for Aberconwy () about this being the new
oil. However, in the context of climate change, there is a lesson
for us there. Imagine that we knew then what we know now. We can
already see that here. As new as some of these technologies are,
and as new as some of these challenges may be, it does feel like,
as legislators, we are constantly playing catch-up with this
stuff.
We consult and we look, and we know what the problems are and
what the issue fundamentally is, but I agree with the hon. Member
for Cambridge () that we need a bit of
vision here. I would argue that what we need is what my former
colleague, the former Member for East Dunbartonshire, called for,
which is a code of ethics for data and artificial intelligence. I
sincerely hope that the Government, with the extra power to the
elbow of the new Department, can put some real resource behind
that—not in White Papers and thought, but in a proper bit of
legislation that answers some of the questions raised earlier
about the moral use, for example, of artificial intelligence in
war.
Those are important questions. The problem and worry I have is
that this Government and others will find themselves constantly
on the back foot, unless we talk not just about the geekery and
the technical bits—by the sounds of it, there are enough of us in
the House who would enjoy doing that—but about the slightly
loftier and more important ways that this Bill will connect with
society.
In the digital first age, the Government themselves are
encouraging those who want to access benefits and every other
part of the state to do so digitally. If someone is to be a full
citizen of the state, they are required often to give over their
data. If someone does not want to engage with the digital realm,
it is difficult for them to access the services to which they are
entitled. Those are some of the big issues that encircle this
Bill. It is fair to make that point on Second Reading, and I urge
the Government, and especially the new Department, to give
serious thought to how they will knit this all together, because
it is incredibly important.
The Liberal Democrats have a few issues with the Bill. I
associate myself with the remarks of the hon. Member for Bristol
North West (), and in particular what he
said in asking who is at the centre of the Bill, which is
incredibly important. As liberals, we believe it should always be
the citizen. Where there is a conflict of interest between the
citizen, business and the state, in our view and in our political
ideology, the citizen always comes top. I am not convinced that
has been at the heart of the Bill at points. Citizens have been
thought about, but were they at the centre of it at every stage?
I am afraid that our ability as individuals to access, manipulate
and decide who has our data has at various stages got lost.
The concerns we share with others are in four main areas: the
Bill will undermine data rights; it will concentrate power with
the Secretary of State—notwithstanding potential change in
government, that is the sort of thing that Parliament needs to
think about in the round, regardless of who is in power; the Bill
will further complicate our relationship with Europe, as some
have mentioned; and it sets a worrying precedent.
We need to understand where we start from. Only 30% of people in
the UK trust that the Government use their data ethically. That
means that 70% of people in the UK do not. Polls across the world
have shown roughly the same thing. That is a huge level of
mistrust, and we need to take it seriously. The Open Rights Group
has described the Bill as part of a deregulatory race to the
bottom, as the rights and safeguards of data subjects could be
downgraded because of the changes proposed.
Clause 5 and schedule 1 to the Bill introduce a whole set of
legitimate interests for processing data without consent and with
few controls around their application. The Bill changes the
definition of personal data, which would reduce the circumstances
in which that information is protected. It reforms subject access
requests, as others have said. We all run our own small
businesses in our offices as MPs. We understand the burden placed
on small businesses in particular, but it is absolutely the right
of that individual to find out what is held on them in the way
that subject access requests allow. If there is a conflict, it is
the right of the individual that needs to be protected. The
Government assess that the proposal would save about £82 a year—a
price worth paying, given the number of consumers whom those
businesses on average are looking after. There is an important
hierarchy of user use that is not entirely captured by what the
Government have been saying so far.
Big Brother Watch has said:
“The revised Data Protection and Digital Information Bill poses
serious threats to Brits’ privacy. The Government are determined
to tear up crucial privacy and data protection rights that
protect the public from intrusive online surveillance and
automated-decision making in high-risk areas. This bonfire of
safeguards will allow all sorts of actors to harvest and exploit
our data more than ever before. It is completely unacceptable to
sacrifice the British public’s privacy and data protection rights
on the false promise of convenience.”
I am deeply concerned that far from restoring confidence in data
protection, the Bill sets a dangerous precedent for a future in
which rights and safeguards are undermined. I have listened to
what the Secretary of State has said at the Dispatch Box. I
sincerely hope that those safeguards that the Government want to
keep in place will remain in place, but we should be listening to
those third-party groups that have scrutinised this Bill in some
detail. There are legitimate concerns that need to be
addressed.
My other concern is the concentration of power with the Secretary
of State. As I have said before, while it would be lovely to
think that all Secretaries of State and all Governments will all
think the same on this and that we all have the same principles,
my deep concern is that one day that will not happen. There is an
important part for Parliament to play, especially when
legislation is running behind what is happening in society, in
raising the issues in real time. My worry is that by acting
through secondary legislation, which we end up scrutinising less
and less often, the Government do not have a mechanism for
Parliament to feed in as society changes, which can be
year-on-year. We need some way, whether through a Select
Committee or whatever, to be able to keep pace with changes in
society.
Finally, I want to talk about adequacy and in particular its loss
being a real concern. I am pleased to hear that being raised on
all sides in the House, which is a good sign, but I hope that
this is not a case where little then gets changed in the Bill, as
we have seen many times over. We could have it both ways: we can
diverge from EU standards if we make the protection of the rights
of the citizens stronger. Some who have mentioned divergence,
however, have spoken about a weakening, which I worry will lead
to a loss of adequacy.
In closing, will the Minister give a cast-iron guarantee to
businesses that rely on it—and to our researchers who equally
rely on it—that adequacy will not be watered down but will be one
of the key tenets of how we move forward? Certainty for
businesses and our researchers is incredibly important, and if
there is any suggestion that changes in the Bill will affect
that, they must be pulled immediately.
7.50pm
(Strangford) (DUP)
It is a pleasure to add some comments and make a contribution,
and also to have heard all the right hon. and hon. Members’
speeches as I have sat here tonight. There will not be any votes
on the Bill, I understand, but if there had been, my party would
have supported the Government, because I think the intention of
the Minister and the Government is to try to find a correct way
forward. I hope that some of the tweaking that is perhaps needed
can happen in a positive way that can address such issues. It is
always good to speak in any debate in this House, but this is the
first one after the recess, and I am indeed very pleased to be a
part of any debates in the House. I have spoken on data
protection and its importance in the House before, and I again
wish to make a contribution, specifically on medical records and
protection of health data with regard to GP surgeries. I hope to
address that with some questions for the Minister at the end.
Realistically, data protection is all around us. I know all too
well from my constituency office that there are guidelines. There
are procedures that my staff and I must follow, and we do follow
them very stringently. It is important that businesses, offices,
healthcare facilities and so on are aware of the guidelines they
must follow, hence the necessity of this Bill. As I have said, if
there had been a vote, we would have supported the Government,
but it seems that that will not be the case tonight. Data
exposure means the full potential for it to fall into the wrong
hands, posing dangers to people and organisations, so it is great
to be here to discuss how we can prevent that, with the
Government presenting the legislation tonight and taking it
through Committee when the time comes.
I have recently had some issues with data protection—this is a
classic example of how mistakes can happen and how important data
can end up in the wrong place—when in two instances the
Independent Parliamentary Standards Authority accidentally
published personal information about me and my staff online. It
did not do it on purpose—it was an accident, and it did retrieve
the data very quickly—but it has happened on two occasions at a
time of severe threat in Northern Ireland and a level of threat
on the mainland as well. Although the matter was quickly
resolved, it is a classic example of the dangers posed to
individuals.
I am sure Members are aware that the threat level in Northern
Ireland has been increased. Despite there being external
out-of-office security for Members, I have recently installed
CCTV cameras in my office for the security of my staff, which,
though not as great in comparison, is my responsibility. I have
younger staff members in their 20s who live on their own, and
staff who are parents of young children, and they deserve to know
that they are safe. Anxieties have been raised because of the
data disclosure, and I imagine that many others have experienced
something similar.
I want to focus on issues about health. Ahead of this debate, I
have been in touch with the British Medical Association, which
raised completely valid concerns with me about the protection of
health data. I have a number of questions to ask the Minister, if
I may. The BMA’s understanding of the Bill is that the Secretary
of State or the Minister will have significant discretionary
powers to transfer large quantities of health information to
third countries with minimal consultation or transparent
assessment about how the information will benefit the UK. That is
particularly worrying for me, and it should be worrying for
everyone in this House. I am sure the Minister will give us some
clarification and some reassurance, if that is possible, or tell
us that this will not happen.
There is also concern about the Secretary of State having the
power to transfer the same UK patients’ health data to a third
country if it is thought that that would benefit the UK’s
economic interests. I would be very disturbed, and quite annoyed
and angry, that such a direction should be allowed. Again, the
Minister may wish to comment on that at the end of the debate. I
would be grateful if the Minister and his Department provided
some clarity for the BMA about what the consultation process will
be if information is to be shared with third-party countries or
organisations.
There have also been concerns about whether large tech and social
media companies are storing data correctly and upholding
individuals’ rights or privacy correctly. We must always
represent our constituents, and the Bill must ensure that the
onus of care is placed on tech companies and organisations to
legally store data safely and correctly. The safety and
protection of data is paramount. We could not possibly vote for a
Bill that undermined trust, furthered economic instability and
eroded fundamental rights. Safeguards must be in place to protect
people’s privacy, and that starts in the House today with this
Bill. Can the Minister assure me and the BMA that our data will
be protected and not shared willy-nilly with Tom, Dick and Harry?
As I have said, protection is paramount, and we need to have it
in place.
To conclude, we have heard numerous stories both from our
constituents and in this place about the risks of ill-stored and
unprotected data. The Bill must aim to retain high data
protection standards without creating unnecessary barriers for
individuals and businesses. I hope that the Minister and his
Department can answer the questions we may have to ensure that
the UK can be a frontrunner in safe and efficient data
protection. We all want that goal. Let us make sure we go in the
right direction to achieve it.
Madam Deputy Speaker ( )
I call the shadow Minister.
7.57pm
(Barnsley East) (Lab)
I would like to add my best wishes to the Minister and the
Secretary of State on their imminent arrivals.
We are in the midst of a tech revolution, and right at the centre
of this is data. From social media and online shopping to the
digitisation of public services, the rate at which data is being
collected, processed and shared is multiplying by the minute.
This new wealth of data holds great potential for innovation,
boosting economic growth and improving the delivery of public
services. The aims of the Bill to unlock the economic and
societal benefits of data while ensuring strong, future-proofed
privacy rights are therefore ones that we support. We welcome,
for example, provisions to modernise the ICO structure, and we
support provisions for the new smart data regimes, so long as
there are clear requirements for impact assessments.
However, the Bill in its current form does not go far enough in
actually achieving its aims. Its narrow approach and lack of
clarity render it a missed opportunity to implement a truly
innovative and progressive data regime. Indeed, in its current
form many clarifications will be needed to reassure the public
that their rights will not be weakened by the Bill while sweeping
powers are awarded to the Secretary of State. Currently, solely
automated processing is defined by the Bill as one having “no
meaningful human involvement” that results in a “significant
decision”, with the Secretary of State trusted with powers to
amend what counts within this definition. The lack of detail on
the boundaries of such definitions as well as their ability to
change over time have concerned the likes of the Ada Lovelace
Institute and the TUC.
The Chair of the Business, Energy and Industrial Strategy
Committee, my hon. Friend the Member for Bristol North West
(), outlined in his powerful
speech the power imbalance between big tech and the people, which
is an important insight and a challenge for us in this House.
Indeed, just this month Uber was found to have violated the
rights of three UK-based drivers by firing them without appeal on
the basis of fraudulent activity picked up by its automated
decision-making system. In its judgment, the court found that the
limited human intervention in Uber’s automated decision process
was not
“much more than a purely symbolic act”.
This case and the justice the drivers received therefore
explicitly relied on current legislation in the form of article
22 of the UK GDPR, and a clear understanding of what constitutes
meaningful human involvement. Without providing clear boundaries
for defining significant decisions and meaningful human
involvement, this Bill therefore risks removing the exact rights
that won this case and creating an environment where vital
safeguards, such as the right to contest automated decisions and
request human intervention, could easily become exempt from
applying at the whim of the Secretary of State. This must be
resolved, and the public must be reassured that they will not be
denied a job, mortgage or visa by an algorithm without a method
of redress.
There is also a lack of clarity around how rules allowing
organisations to charge a fee or refuse subject access requests
deemed “vexatious” and “excessive” will work, as the likes of
Which? and the Public Law Project have argued and which my hon.
Friend the Member for Cambridge () highlighted. Indeed, if
the list of circumstances where these terms might be met is
non-exhaustive, what safeguards will be in place to stop
controllers from abusing this, deciding that any request they
dislike is vexatious? Organisations should absolutely be
supported in directing resources to good faith requests, but we
must be careful to ensure that any new limits are protected
against abuse.
Reform of the responsibilities of the Information Commissioner’s
Office is another area in need of analysis. Indeed, more than
evolving its structure, the Bill gives the Secretary of State
power to set the strategic priorities of the regulator and
approve codes of practice. This has sparked concern across the
spectrum of stakeholders, from the Open Rights Group to techUK,
over what it means for the regulator’s independence. Given these
new powers, particularly in cases where guidance addresses the
activity of the Government, how can Ministers assure us that a
Secretary of State will not be marking their own homework?
Whether it is the Secretary of State being able to amend the
“recognised legitimate interests” list or the removal of the
requirement for consultation on impact assessment, this same
theme is echoed throughout the Bill, which was raised by the hon.
Member for Oxford West and Abingdon (). Without additional guidance
and clear examples of how definitions apply, it is hard to grasp
the full extent of the consequences of these new measures,
especially given the sweeping powers of the Secretary of State to
make further changes. We will look to ensure that this clarity is
included in the Bill, so that everyone can be assured of their
rights and of a truly independent regulator. We must also ensure
that children are protected by the Bill and that the
age-appropriate design code is not compromised, as raised by the
hon. Member for Folkestone and Hythe () and others across the
House.
Clarity on the new regime is also vital for reassuring businesses
who still have fears around losing EU adequacy, something raised
throughout this debate and which the former Secretary of State
the right hon. Member for Maldon (Sir ) outlined in his
contribution. The Government have said that they recognise that
losing adequacy would be disastrous, costing up to £460 million
as a one-off and £410 million every year afterwards. Ministers
have rightly rowed back on many of the more concerning
suggestions from their consultation, but they must be absolutely
clear on how they are sure that the measures in the Bill,
particularly those that toy with the regulator’s independence and
give Ministers power to create further change, will not threaten
adequacy.
Having already made significant adjustments to comply with UK
GDPR, the changes in the Bill must also be careful not to create
further uncertainty for businesses. Indeed, although Ministers
say that anyone who abides by the current rules will still be
compliant after the passing of the Bill, organisations will still
have to do their own legal due diligence to understand how, if at
all, this set of amendments impacts them. It would therefore be
good to hear from Ministers on how they plan to ensure that
businesses, particularly small and medium-sized enterprises, are
supported in understanding the requirements on them.
We understand the Government’s attempts to future-proof this
legislation, and it would be great to see an end to constant
cookie banners or nuisance calls, which the hon. Member for
Aberconwy () referenced, but the measures
in the Bill rely on technology that does not currently
operationally exist. In the case of browser-enabled cookie
models, there is also the concern that this may entrench power in
the hands of existing tech giants and muddy the waters on
liability. We must be careful, therefore, to ensure that
businesses can actually implement what the Bill requires.
Ultimately, with the exception of the section on smart data, this
Bill chooses to take a very narrow view of what an innovative
data regime could look like. In the context of a rapidly changing
world, this Bill was a great opportunity to really consider how
we can get data working in better interests, like those of the
general public or small businesses. Labour would have used a Bill
like this to, for example, examine how data can empower
communities and collective groups such as workers in industries
who have long felt that they have been on the wrong end of
automated decision-making as well as the automation of jobs.
We would also have sought to improve public trust and
understanding in how our data is used, particularly since the
willingness to share data has been eroded after the likes of the
Cambridge Analytica scandal, the NHS data opt-out, and the exam
algorithm scandal, which disproportionately affected my
constituents in Barnsley. As it stands, however, the Bill seems
only to consider data rights when they emerge as a side product
of making changes to rules for processors. Data rights and data
protection have wide-ranging consequences across society, as the
hon. Member for Strangford () discussed. Labour would have used this as an
opportunity to look at the larger picture of data ownership.
Deregulation measures such as those in the Bill might mean less
work for some small businesses, but as long as a disproportionate
amount of data is held by a limited number of firms, they will
still be at a large competitive disadvantage. From introducing
methods of collective redress to nurturing privacy-enhancing
technologies, there are many positive opportunities a progressive
data Bill could have explored to put our country at the forefront
of innovation while genuinely strengthening rights and trust for
the modern era, but the Government have missed this
opportunity.
Overall, we can all agree on unlocking innovation through data
while ensuring data subjects have the rights and trust they
fundamentally deserve. However, there are many areas for clarity
and improvement if this Bill is to match the bold vision required
to truly be at the forefront of data use and data protection. I
look forward to working closely with Ministers in the coming
months towards legislation that better fulfils these aims.
8.05pm
The Parliamentary Under-Secretary of State for Science,
Innovation and Technology ()
I thank all Members for their contributions, including the hon.
Members for Manchester Central (), for Glasgow North West
(), for Bristol North West
(), for Cambridge (), for Oxford West and
Abingdon (), for Strangford () and for Barnsley East () and my right hon. Friend
the Member for Maldon (Sir ) and my hon. Friends the
Members for Folkestone and Hythe (), for Loughborough () and for Aberconwy (). The debate has been held in
the right spirit, understanding the importance of data, and I
will try to go through a number of the issues raised.
Adequacy has come up on a number of occasions. We have been
straight from the beginning that adequacy is very important and
we work with the EU Commission on this; we speak to it on a
regular basis, but it is important to note that the EU does not
require exactly the same rules to be in place to be adequate. We
can see that from Japan and from New Zealand, so we are trying to
get the balance right and making sure that we remain adequate not
just with the EU but with other countries with which we want to
have data bridges and collaboration. We are also making sure that
we can strip back some of the bureaucracy not just for small
businesses, but for public services including GPs, schools and
similar institutions, as well as protecting the consumer, which
must always be central.
Automated decision-making was also raised by a number of Members.
The absence of meaningful human intervention in solely automated
decisions, along with opacity in how those decisions can be
reached, will be mitigated by providing data subjects with the
opportunity to make representations about, and ultimately
challenge, decisions of this nature that are unexpected or seem
unwarranted. For example, if a person is denied a loan or access
to a product or services because a solely automated
decision-making process has identified a high risk of fraud or
irregularities in their finances, that individual should be able
to contest that decision and seek human review. If that decision
is found to be unwarranted on review, the controller must
re-evaluate the case and issue an appropriate decision.
Our reforms are addressing the uncertainty over the applications
of safeguards. They will clarify when safeguards apply to ensure
that they are available in appropriate circumstances. We will
develop that with businesses and other organisations in
guidance.
The hon. Member for Glasgow North West talked about joint-working
designation notices and it is important to note that the police
and intelligence services are working off different data regimes
and that can make joint-working more difficult. Many of the
changes made in this Bill have come from learning from the
Fishmongers’ Hall terrorist incident and the Manchester Arena
bombing.
Members raised the question of algorithmic bias. We agree that it
is important that organisations are aware of potential biases in
data sets and algorithms and bias monitoring and correction can
involve the use of personal data. As we set out in our response
to the consultation on the Bill, we plan to introduce a statutory
instrument that will provide for the monitoring and correction of
bias in AI systems by allowing the processing of sensitive
personal data for this purpose with appropriate safeguards.
However, as we know from the AI White Paper we published
recently, this is a changing area so it is important that we
remain able to flex in Government in the context of AI and that
type of decision-making.
The hon. Member for Bristol North West talked about biometrics.
That is classed as sensitive data under the UK GDPR, so is
already provided with additional protection. It can only be
processed if a relevant condition is met under article 9 or
schedule 1 of the Data Protection Act. That requirement provides
sufficient safeguards for biometric data. There are significant
overlaps in the current oversight framework, which is confusing
for the police and the public, and it inhibits innovation. That
is why the Bill simplifies the oversight for biometrics and overt
surveillance technologies.
The hon. Gentleman talked about age-appropriate guidance. We are
committed to protecting children and young people online. The
Bill maintains the high standards of data protection that our
citizens expect and organisations will still have to abide by our
age-appropriate design code. Any breach of our data protection
laws will result in enforcement action by the Information
Commissioner’s Office.
The hon. Gentleman also talked about data portability. The Bill
increases data portability by setting up smart data regulations.
He talked about social media, but it is far wider than that.
Smart data is the secure sharing of customer data with authorised
third parties on the customer’s request. Those third parties can
then use that data to provide innovative services for the
consumer or business user, utilising AI and data-driven insights
to empower customer choice. Services may include clear account
management across services, easier switching between offers or
providers, and advice on how to save money. Open banking is an
obvious live example of that, but the Bill, with the smart data
changes within it, will turbocharge the use of this matter.
My hon. Friend the Member for Loughborough talked about policing.
It will save 1.5 million police hours, but it is really important
that we do more. We are looking at ways of easing redaction
burdens for the police while ensuring we maintain victim and
witness confidence. It is really important to them, and in the
interests of public trust, that the police do not share
information not relevant to a case with other organisations,
including the Crown Prosecution Service and the defence. Removing
information, as my hon. Friend says, places a resource burden on
officers. We will continue to work with the police and the Home
Office on that basis.
On UK-wide data standards, raised by my hon. Friend the Member
for Aberconwy, improving access to comparable data and evidence
from across the UK is a crucial part of the Government’s work to
strengthen the Union. The UK Government and the Office for
National Statistics have an ongoing and wide-ranging work
programme to increase coherency of data across the nations, as my
hon. Friend is aware. We remain engaged in discussions and will
continue to work with him, the Wales Office and the ONS to ensure
that we can continue.
On international data transfer, it is important that we tackle
the uncertainties and instabilities in the current regime, but
the hon. Member for Strangford is absolutely right that in doing
that, we must maintain public trust in the transfer system.
Finally, on the ICO, we believe that the Bill does not undercut
its independence. It is really important that, for the trust
issues I have talked about, we retain its independence. It is not
about Government control over an independent regulator and it is
not about a Government trying to exert influence or pressure for
what are deemed to be more favourable outcomes. We are committed
to the ICO’s ongoing independence and that is why we have worked
closely with the ICO. The Information Commissioner himself is in
favour of the changes we are making. He has spoken approvingly
about them.
This is a really important Bill, because it will enable greater
innovation while keeping personal protections to keep people’s
data safe.
Question put and agreed to.
Bill accordingly read a Second time.
Data Protection and Digital Information (No. 2) Bill
(Programme)
Motion made, and Question put forthwith (Standing Order No.
83A(7)),
That the following provisions shall apply to the Data Protection
and Digital Information (No. 2) Bill:
Committal
(1) The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not
previously concluded) be brought to a conclusion on Tuesday 13
June 2023.
(3) The Public Bill Committee shall have leave to sit twice on
the first day on which it meets.
Consideration and Third Reading
(4) Proceedings on Consideration shall (so far as not previously
concluded) be brought to a conclusion one hour before the moment
of interruption on the day on which those proceedings are
commenced.
(5) Proceedings on Third Reading shall (so far as not previously
concluded) be brought to a conclusion at the moment of
interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not
apply to proceedings on Consideration and Third Reading.—(.)
Question agreed to.
Data Protection and Digital Information (No. 2) Bill (Money)
King’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No.
52(1)(a)),
That, for the purposes of any Act resulting from the Data
Protection and Digital Information (No. 2) Bill, it is expedient
to authorise the payment out of money provided by Parliament
of—
(a) any expenditure incurred under or by virtue of the Act by the
Secretary of State, the Treasury or a government department,
and
(b) any increase attributable to the Act in the sums payable
under any other Act out of money so provided.—(.)
Question agreed to.
Data Protection and Digital Information (No. 2) Bill (Ways and
Means)
Motion made, and Question put forthwith (Standing Order No.
52(1)(a)),
That, for the purposes of any Act resulting from the Data
Protection and Digital Information (No. 2) Bill, it is expedient
to authorise:
(1) the charging of fees or levies under or by virtue of the Act;
and
(2) the payment of sums into the Consolidated Fund.—(.)
Question agreed to.
Data Protection and Digital Information (No. 2) Bill
(Carry-over)
Motion made, and Question put forthwith (Standing Order No.
80A(1)(a)).
That if, at the conclusion of this Session of Parliament,
proceedings on the Data Protection and Digital Information (No.
2) Bill have not been completed, they shall be resumed in the
next Session.—(.)
Question agreed to.
|
