I am pleased to have secured this debate. I am, of course, delighted to see the Under-Secretary of State for Culture, Media and Sport at the Dispatch Box, although I am a little surprised that a Ministry of Justice Minister is not here instead. The hon. Gentleman will understand why as I develop my argument.
There are many problems relating to the use of personal data by new media companies. We could be discussing the BBC report this morning: after a journalist went on to just four websites, 40 companies put cookies on to his computer to track what he was doing. We could be discussing the fact that Google has just three months to change its privacy policy or pay a £500,000 fine or the fact that Prism, used by the United States National Security Agency, has been collecting data from Microsoft and many other large companies.
However, the specific issue that I want to talk about is the use of personal data by mobile phone companies and the special sensitivity that arises because of the fact that the mobile phone companies know the location of the user. On 12 May, The Sunday Times reported that EE had sold to Ipsos MORI the personal data of 27 million mobile phone users, including their gender, age and postcode, the websites they visited, the time of day texts were sent, and, linked to that, their location when the texts were sent. Customers were clearly not aware that their data were being handed on and used in this way. Ipsos MORI then had a meeting with the Metropolitan police to discuss selling the data on for a second time. These data go beyond anything the police can get without an application under the Regulation of Investigatory Powers Act 2000. The scale of this is demonstrated by the fact that in 2011 only 2,911 such orders were given. Furthermore, a proposal to allow the police to hold such data was dropped by the Home Secretary last year.
The day after reading that article, I wrote to the Minister and requested various assurances from him. I have not had an answer so far, but perhaps this evening he will respond to the points I made. I asked him whether he had discussed the matter with industry, what steps the Government had taken to ensure that such data do not fall into undesirable hands, whether he had had a report from the Metropolitan police, whether the Government believe that it is right that a larger range of data are being used and sold than is allowed under RIPA, and what action the Government are taking to protect our citizens.
Because I did not receive an answer, I wrote to the mobile phone companies and the Information Commissioner’s Office, most of which provided full responses. I also had meetings with EE, the Open Rights Group and Big Brother Watch. Three companies told me that they do not sell on personal data at all, Ipsos MORI explained that the data were aggregated into groups of at least 50 people, and Telefonica pointed out, reasonably enough, that the location data are needed for “find my nearest” services. When I asked EE if the public might judge themselves whether they were satisfied with the arrangements it had made with Ipsos MORI and suggested that the way to achieve that would be for it to publish its contract with Ipsos MORI regarding the sale, it said that it could not do so because it was “confidential”.
All the companies said they believed that their practices fell within the Data Protection Act 1998 and that the data had been anonymised as defined in that Act. The ICO said that having datasets with names or addresses stripped out and aggregated into groups of 50
“does not enable particular individuals to be identified”.
Unfortunately that is not the case. By combining these data with other datasets—for example, those of the Land Registry—individual people can be identified. In March this year, Nature published a science report by academics at the Massachusetts Institute of Technology and Harvard, Louvain and Valparaiso universities which concluded that
“in a dataset where the location of an individual is specified hourly…four spatio-temporal points are enough to uniquely identify 95% of the individuals…These findings represent fundamental constraints to an individual's privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals.”
I thank the hon. Lady for bringing this vital issue to the House. A week does not pass in my constituency without the police warning people to be aware of a scam. Data seem to become available to many organisations, especially the mobile phone groups. Does the hon. Lady agree—I hope the Minister will also respond to this—that, rather than addressing the issue regionally, it would be best to do so with a strategy across the whole United Kingdom of Great Britain and Northern Ireland?
The hon. Gentleman is absolutely right. Indeed, the European Union will make proposals, which will obviously cover the United Kingdom. That is essential, because we are dealing with international companies, so we need international agreements to tackle the problems.
The current law is inadequate to protect people’s privacy, partly because there has been significant technological change since 1998. The advent of cloud computing and the increasing sharing of personal information on online social networks mean that fewer and fewer data are needed to identify people. Furthermore, the current consent rules are completely inadequate. For consent to be meaningful, it needs to be explicit, informed and freely given. Usually, that is not the case —the consent is buried somewhere in paragraph 157 of the terms and conditions—and people have no option to refuse if they want the service at all.
Data are not used for the purposes requested or desired by their owner. In other words, the legal definition of legitimate use is too weak. The data that mobile phone companies hold are extremely sensitive and neither those that they sell nor their changed use have been agreed with the customers. The sanctions are weak, as is evident from the fact that the ICO will fine Google only £500,000 if it does not change its policies.
There are two relevant laws: the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. Do the Government think there is a proper legal basis for processing customers’ location data for the benefit of the marketing purposes of third parties? Does the Minister believe that the ICO is taking enough action to require mobile phone companies to keep consumers informed?
If the Government think that the public are not bothered, they are surely mistaken. Last year Demos carried out some public opinion surveys as part of a report on data sharing and protection. The surveys found that losing control of personal information is the public’s most significant concern with regard to using new technology. They also found that people are sharing more, but that they have a “crisis of confidence” in relation to it. On sharing personal data, 52% of the public were non-sharers or sceptics, compared with only 27% who were described as value hunters or enthusiastic sharers.
Against that background, Neelie Kroes, the EU commissioner for the digital agenda, has made proposals to give people effective control over their personal data, which is a fundamental right for all EU citizens. Under her proposals, an individual’s consent would have to be given explicitly and there would also be a new right to be forgotten whereby, if requested, a data holder would have to delete all the data they hold on a particular person. She also proposes that people should have easier access to their personal data; that there should be a right to transfer those data from one data holder to another; that people should receive speedy information of personal data security breaches; and that there should be stronger protection for children.
The Justice Select Committee has described the draft regulation as necessary and agrees that a shared approach across the EU is necessary for dealing with these large multinational companies, yet the Lord Chancellor has described the proposals as “mad”. The Government have complained about the costs and the potential loss of £15 million of income in fees to the ICO.
Of course no one wants to impose unnecessary burdens on business, and especially not on small and medium-sized enterprises, but if the Government got their act together and started taxing those large new media companies properly, they would easily acquire the necessary resources to enable the institutions to provide proper protection for our citizens. That is evident from the fact that Google paid only £3 million in tax on a £2 billion turnover.
Furthermore, the Government seem to be supporting attempts to weaken people’s rights. The Ministry of Justice’s summary of responses document, which it published in June 2012, said that the Government would
“resist the proposal that subject access rights be exercisable free of charge”,
and that they would resist the right to be forgotten. Although they accepted that people should receive notifications of data breaches, they resisted the introduction of a speedy timetable for them. They also felt that the imposition of a fine of 2% of turnover would be “disproportionately high”.
To summarise my argument, 70% of Europeans are concerned that companies use data for purposes other than that for which they were collected, and 94% of the British public worry about their online privacy. British people’s data have been used and sold without their knowledge, and the rapid pace of technological change means that the law is in urgent need of updating. Privacy is a fundamental human right and the EU is now bringing forward sensible proposals to tackle this, which the Lord Chancellor has described as “mad”. Is this because the Tory-led Government are so in hock to big business that they refuse to protect citizens’ privacy, or because the Lord Chancellor is so Europhobic that he cannot recognise a good idea when it comes along?
I am grateful for this chance to respond, and I congratulate the hon. Member for Bishop Auckland (Helen Goodman) on securing this important debate on new media and data protection. I thank her for her kind words about seeing me in my place. She expressed surprise at seeing me here, but she wrote to me about this issue on 13 May this year, so she should not be surprised to see me here tonight. She has, however, inadvertently put her finger on an important matter—namely, the responsibility within Whitehall for some of these issues. She will know that, as communications Minister, I am responsible for the mobile phone companies in the round, but that the Information Commissioner’s Office remains under the jurisdiction of the Ministry of Justice. It is therefore right that the Ministry of Justice should address such matters as the data protection regulations. A similar issue arises with nuisance calls. I am driving forward reform in that area, although the Information Commissioner deals with that matter, which remains under the remit of the Ministry of Justice. However, I care passionately about these issues, and I want to see progress and change in this area.
As Minister for communications, I have been involved in trying to strike a balance between the use of personal data and the need to keep people’s privacy secure. As the hon. Lady made clear in her speech, this is a very real issue in the age of the internet. We talk about data, but let us put a bit of colour into this. We share data, as in information about ourselves, every single day on the internet. I was interested to read the recent World Economic Forum report that estimated that we send 47 billion e-mails a day, that we submit 95 million tweets—not always accurate ones—and that we share 30 billion pieces of content on Facebook every day. We are sharing personal data all the time.
A thriving information economy is essential for enhancing our national competitiveness and driving economic growth. That is why the Government have published an information economy strategy that looks at how Government, industry and academia can work together to exploit the many opportunities available in that sphere.
It is important that we distinguish between personal data that we make freely available, and personal data that we give up to mobile phone companies and that may be used in the future. The report to which the hon. Lady refers from 12 May would, on first reading, give anyone cause for concern. I am happy to report to the House, however, that not everything in that report was entirely accurate.
In a parallel world while the hon. Lady was meeting the Information Commissioner’s Office and talking to mobile phone companies, my officials were doing the same having received her letter. In fact, I replied to her letter today, and she should find that reply in her inbox this evening or tomorrow morning. Purely coincidentally, while I was going through my correspondence I found her reply to my letter in my inbox.
When the story broke, the Information Commissioner’s Office spoke to EE—the company referred to—as well as to Ipsos MORI, and was reassured that the detail of the story was not entirely accurate. EE confirmed that it works with Ipsos MORI on customer behaviour and network usage analysis, and to prepare reports on how, when and where its network is being used. However, data shared between the parties is anonymised and aggregated in groupings of a minimum of 50 to remove any individual references or identifiers.
In that respect, the article in The Sunday Times was not entirely accurate. Ipsos MORI did not sell the personal data of 27 million customers to the Metropolitan police as the data are not generically made available. Furthermore, the Information Commissioner’s Office has seen examples of the output that Ipsos MORI created using data from EE, and it confirmed to my officials that they were not sufficiently detailed or granular to enable individuals to be identified.
Ipsos MORI or EE remain responsible for ensuring that any outputs are compliant with the relevant legislation, and do not identify particular individuals. EE has confirmed that position, and is adamant that it would never breach the trust that its customers place in it, and that it complies fully with all relevant regulations. Telefónica O2 says that it does not sell customer data, and has provided details about a product that it, local councils and others use called “Smart Steps”. That is a data analytics tool used to measure and understand the number of people visiting a specific area. Telefónica O2 confirmed that data are anonymised and aggregated, in line with UK and EU data protection legislation. Similarly, 3UK confirmed that it does not sell customer data. It shares information with third parties such as service providers, to help them deliver services to their customers, but that is done in full compliance with privacy laws. Vodafone also provided details of the two legacy analytical projects in which it participates, both of which were designed to comply with the Data Protection Act.
The Information Commissioner’s Office “Anonymisation: managing data protection risk code of practice” provides guidance on how anonymisation can be used to manage and minimise data protection risk when releasing information. That code was published last year in November with the aim of helping organisations ensure their use of anonymisation techniques safeguards individual privacy. I am pleased to say that that code is online on the ICO’s website.
Where data have been anonymised and aggregated, they will not fall within the scope of the Data Protection Act as they do not enable particular individuals to be identified or differentiated from one another. The requirements of the DPA apply only to the processing—the use, disclosure, collection and storage of personal data that relate to an identifiable individual.
The Data Protection Act does not prohibit the sale of personal data—it is not clear that there is a legal loophole as such in terms of companies trading in personal data, but it is something about which individuals should be informed. As the hon. Lady points out, it is important to obtain individuals’ consent. That is an important issue that we should be addressing, particularly in an online world where often one is confronted by terms and conditions of inordinate length that no reasonable person could be expected to read in great detail. I would certainly like to see much simpler terms and conditions specifically designed for an online age covering the essentials necessary to giving informed consent.
The Minister is responding to the points I raised on 13 May, but things have moved on and I have found out more. I was not arguing that these companies were breaking the law. Clearly, they are large companies with big legal departments and would not be so foolish as to do that. My point was that these data, when combined with other data, can enable another person to identify the individuals. That being the case, we need to tighten the law. I hope the Minister will deal, in his further remarks, with that and the Government’s response to the proposed tightening of the law.
I will certainly do that, but I hope the hon. Lady will bear with me briefly, because it is important, given what provoked this debate, that these issues be put on the record.
I was talking about consent and, in my humble opinion, meeting the hon. Lady halfway on some of her concerns, which I think were perfectly legitimate to raise in the House. Personal data required by legislation to be provided and made available to the general public—for example, directors’ information or births, marriages and deaths—can also be sold, but as I said, I would be concerned if any of the mobile operators were to release personal data for sale in contravention of the law. As she made clear, however, that was not her point.
I turn now to the thrust of the hon. Lady’s comments. We have moved on from the report in The Sunday Times to the general issue of how personal data are handled, particularly in an online and digital age. I begin with two points. First, we take this issue very seriously. Quite recently, we strengthened the powers of the Information Commissioner’s Office. All Members will recall the issue with Google street cars, which were sent hither and thither to take pictures of everybody’s houses so as to provide a public service. When data protection was deemed to have been breached, it was discovered that the ICO did not have the powers to fine Google. As she made clear, the ICO is currently considering a privacy case involving Google, and over the heads of Google and of other companies that break privacy laws hangs the possibility of a significant fine from the ICO, thanks to European legislation introduced by the Government. Those fines are already being used to full effect to combat the plague of nuisance calls.
The second privacy issue that required an important balancing act was the transposition of the e-privacy directive, in which I was closely involved. This relates directly to the issue of cookies, to which the hon. Lady referred earlier. A cookie can be many things, but in the online world, it is a small packet of data that allows one’s movements to be tracked across the web. They can provide a useful service to the user of online services by providing, for example, advertisements tailored to the interests of the individual internet user based on their browsing history, but, based on an important principle, the e-privacy directive introduces the opportunity for an individual to consent to the use of cookies. That is why anyone who uses the internet will see on most websites a pop-up display, banner or some other notice making it clear that the website uses cookies and asking the user to give their consent. By and large—I do not have any specific evidence to support this assertion—most people consent to the use of cookies, because there are some benefits. However, let us not underestimate the concerns that people have about this kind of tracking. As the hon. Lady pointed out, people want to feel that they have given their consent for tracking behaviour. Those of us who have covered this brief in Government for a while will remember the storm that occurred when BT tried to introduce tracking users through software created by Phorm. That caused an enormous row and BT had to withdraw it, because the people who used its website did not feel that their consent had been given properly. That is the kind of issue covered by the e-privacy directive.
The hon. Lady raised the matter of the proposals currently under discussion in the Commission. I am loth to correct the hon. Lady on any issue, but the proposals are not being put forward by Commissioner Kroes, who is the Commissioner for digital services, but by Commissioner Viviane Reding, who is the Commissioner with responsibility for consumer affairs. The proposals will update the data protection regulations and, as she pointed out, the Ministry of Justice is the lead Department. My right hon. Friend the Lord Chancellor has been to Brussels and he has used the straightforward and plain language that has stood him in such good stead in his career over many years to make clear the concerns of the British Government.
Let me again be clear: we do not oppose the data protection regulations. We support updating the regulations, but we have legitimate concerns about some of the detail. The most notorious regulation, which has grabbed the headlines, is of course the one that goes by that vernacular phrase “the right to be forgotten”. Our concern is straightforward: saying to any ordinary person that we are going to give them the right to be forgotten on the internet will raise a huge amount of expectation. We therefore want absolute clarity on what can be achieved by talking directly to the website—for example, Facebook—whose data we want to erase, and by asking how far that can go and how many other people one has to speak to. The clear concern of the British Government relates to scope.
The hon. Lady is right to raise these concerns. All British citizens are rightly concerned about how their data might be used in a digital age. It is right and appropriate that the Government respond in a judicious and sensible fashion.
Question put and agreed to.