Data Protection and Digital Information (No. 2) Bill
Monday 17th April 2023
(1 year ago)
Commons ChamberData Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts
The Minister for Data and Digital Infrastructure (Julia Lopez)
I beg to move, That the Bill be now read a Second time.
Data is already the fuel driving the digital age: it powers the everyday apps that we use, public services are being improved by its better use and businesses rely on it to trade, produce goods and deliver services for their customers. But how we choose to use data going forward will become even more important: it will determine whether we can grow an innovative economy with well-paid, high-skill jobs, it will shape our ability to compete globally in developing the technologies of the future and it will increasingly say something about the nature of our democratic society. The great challenge for democracies, as I see it, will be how to use data to empower rather than control citizens, enhancing their privacy and sense of agency without letting authoritarian states—which, in contrast, use data as a tool to monitor and harvest information from citizens—dominate technological advancement and get a competitive advantage over our companies.
The UK cannot step aside from the debate by simply rubber-stamping whatever iteration of the GDPR comes out of Brussels. We have in our hands a critical opportunity to take a new path and, in doing so, to lead the global conversation about how we can best use data as a force for good—a conversation in which using data more effectively and maintaining high data protection standards are seen not as contradictory but as mutually reinforcing objectives, because trust in this more effective system will build the confidence to share information. We start today not by kicking off a revolution, turning over the apple cart and causing a compliance headache for UK firms, but by beginning an evolution away from an inflexible one-size-fits-all regime and towards one that is risk-based and focused on innovation, flexibility and the needs of our citizens, scientists, public services and companies.
Businesses need data to make better decisions and to reach the right consumers. Researchers need data to discover new treatments. Hospitals need it to deliver more personalised patient care. Our police and security services need data to keep our people safe. Right now, our rules are too vague, too complex and too confusing always to understand. The GDPR is a good standard, but it is not the gold standard. People are struggling to utilise data to innovate, because they are tied up in burdensome activities that are not fundamentally useful in enhancing privacy.
A recently published report on compliance found that 81% of European publishers were unknowingly in breach of the GDPR, despite doing what they thought the law required of them. A YouGov poll from this year found that one in five marketing professionals in the UK report knowing absolutely nothing about the GDPR, despite being bound by it. It is not just businesses: the people whose privacy our laws are supposed to protect do not understand it either. Instead, they click away the thicket of cookie pop-ups just so they can see their screen.
The Bill will maintain the high standards of data protection that British people rightly expect, but it will also help the people who are most affected by data regulation, because we have co-designed it with those people to ensure that our regulation reflects the way in which real people live their lives and run their businesses.
Christine Jardine (Edinburgh West) (LD)
Does the Minister agree that the retention and enhancement of public trust in data is a major issue, that sharing data is a major issue for the public, and that the Government must do more—perhaps she can tell us whether they intend to do more—to educate the public about how and where our data is used, and what powers individuals have to find out this information?
Julia Lopez
I thank the hon. Lady for her helpful intervention. She is right: as I said earlier, trust in the system is fundamental to whether citizens have the confidence to share their data and whether we can therefore make use of that data. She made a good point about educating people, and I hope that this debate will mark the start of an important public conversation about how people use data. One of the challenges we face is a complex framework which means that people do not even know how to talk about data, and I think that some of the simplifications we wish to introduce will help us to understand one of the fundamental principles to which we want our new regime to adhere.
Sir Julian Lewis (New Forest East) (Con)
My hon. Friend gave a long list of people who found the rules we had inherited from outside the UK challenging. She might add to that list Members of Parliament themselves. I am sure I am not alone in having been exasperated by being complained about to the Information Commissioner, in this case by a constituent who had written to me complaining about a local parish council. When I shared his letter with the parish council so that it could show how bogus his long-running complaint had been, he proceeded to file a complaint with the Information Commissioner’s Office because I had shared his phone number—which he had not marked as private—with the parish council, with which he had been in correspondence for several years. The Information Commissioner’s Office took that seriously. This sort of nonsense shows how over-restrictive regulations can be abused by people who are out to stir up trouble unjustifiably.
Julia Lopez
Let me gently say that if my right hon. Friend’s constituent was going to pick on one Member of Parliament with whom to raise this point, the Member of Parliament who does not, I understand, use emails would be one of the worst candidates. However, I entirely understand Members’ frustration about the current rules. We are looking into what we can do in relation to democratic engagement, because, as my right hon. Friend says, this is one of the areas in which there is not enough clarity about what can and cannot be done.
We want to reduce burdens on businesses, and above all for the small businesses that account for more than 99% of UK firms. I am pleased that the Under-Secretary of State for Business and Trade, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake), is present to back up those proposals. Businesses that do not have the time, the money or the staff to spend precious hours doing unnecessary form-filling are currently being forced to follow some of the same rules as a billion-dollar technology company. We are therefore cutting the amount of pointless paperwork, ensuring that organisations only have to comply with rules on record-keeping and risk assessment when their processing activities are high-risk. We are getting rid of excessively demanding requirements to appoint data protection officers, giving small businesses much more flexibility when it comes to how they manage data protection risks without procuring external resources.
Those changes will not just make the process simpler, clearer and easier for businesses, they will make it cheaper too. We are expecting micro and small businesses to save nearly £90 million in compliance costs every year: that is £90 million more for higher investment, faster growth and better jobs. According to figures published in 2021, data-driven trade already generates 85% of our services exports. Our new international transfers regime clarifies how we can build data bridges to support the close, free and safe exchange of data with other trusted allies.
John Penrose (Weston-super-Mare) (Con)
I am delighted to hear the Secretary of State talk about reducing regulatory burdens without compromising the standards that we are none the less delivering—that is the central distinction, and greatly to be welcomed for its benefits for the entrepreneurialism and fleetness of foot of British industry. Does she agree, however, that while the part of the Bill that deals with open data, or smart data, goes further than that and creates fresh opportunities for, in particular, the small challenger businesses of the kind she has described to take on the big incumbents that own the data lakes in many sectors, those possibilities will be greatly reduced if we take our time and move too slowly? Could it not potentially take 18 months to two years for us to start opening up those other sectors of our economy?
Julia Lopez
I am delighted, in turn, to hear my hon. Friend call me the Secretary of State—I am grateful for the promotion, even if it is not a reality. I know how passionate he feels about open data, which is a subject we have discussed before. As I said earlier, I am pleased that the Under-Secretary of State for Business and Trade is present, because this morning he announced that a new council will be driving forward this work. As my hon. Friend knows, this is not necessarily about legislation being in place—I think the Bill gives him what he wants—but about that sense of momentum, and about onboarding new sectors into this regime and not being slow in doing so. As he says, a great deal of economic benefit can be gained from this, and we do not want it to be delayed any further.
Kit Malthouse (North West Hampshire) (Con)
Let me first draw attention to my entry in the Register of Members’ Financial Interests. Let me also apologise for missing the Minister’s opening remarks—I was taken by surprise by the shortness of the preceding statement and had to rush to the Chamber.
May I take the Minister back to the subject of compliance costs? I understand that the projected simplification will result in a reduction in those costs, but does she acknowledge that a new regime, or changes to the current regime, will kick off an enormous retraining exercise for businesses, many of which have already been through that process recently and reached a settled state of understanding of how they should be managing data? Even a modest amount of tinkering instils a sense among British businesses, particularly small businesses, that they must put everyone back through the system, at enormous cost. Unless the Minister is very careful and very clear about the changes being made, she will create a whole new industry for the next two or three years, as every data controller in a small business—often doing this part time alongside their main job—has to be retrained.
Julia Lopez
We have been very cognisant of that risk in developing our proposals. As I said in my opening remarks, we do not wish to upset the apple cart and create a compliance headache for businesses, which would be entirely contrary to the aims of the Bill. A small business that is currently compliant with the GDPR will continue to be compliant under the new regime. However, we want to give businesses flexibility in regard to how they deliver that compliance, so that, for instance, they do not have to employ a data protection officer.
Ben Lake (Ceredigion) (PC)
I am grateful to the Minister for being so generous with her time. May I ask whether the Government intend to maintain data adequacy with the EU? I only ask because I have been contacted by some business owners who are concerned about the possible loss of EU data adequacy and the cost that might be levied on them as a result.
Julia Lopez
I thank the hon. Gentleman for pressing me on that important point. I know that many businesses are seeking to maintain adequacy. If we want a business-friendly regime, we do not want to create regulatory disruption for businesses, particularly those that trade with Europe and want to ensure that there is a free flow of data. I can reassure him that we have been in constant contact with the European Commission about our proposals. We want to make sure that there are no surprises. We are currently adequate, and we believe that we will maintain adequacy following the enactment of the Bill.
Rebecca Long Bailey (Salford and Eccles) (Lab)
I was concerned to hear from the British Medical Association that if the EU were to conclude that data protection legislation in the UK was inadequate, that would present a significant problem for organisations conducting medical research in the UK. Given that so many amazing medical researchers across the UK currently work in collaboration with EU counterparts, can the Minister assure the House that the Bill will not represent an inadequacy in comparison with EU legislation as it stands?
Julia Lopez
I hope that my previous reply reassured the hon. Lady that we intend to maintain adequacy, and we do not consider that the Bill will present a risk in that regard. What we are trying to do, particularly in respect of medical research, is make it easier for scientists to innovate and conduct that research without constantly having to return for consent when it is apparent that consent has already been granted for particular medical data processing activities. We think that will help us to maintain our world-leading position as a scientific research powerhouse.
Alongside new data bridges, the Secretary of State will be able to recognise new transfer mechanisms for businesses to protect international transfers. Businesses will still be able to transfer data across borders with the compliance mechanisms that they already use, avoiding needless checks and costs. We are also delighted to be co-hosting, in partnership with the United States, the next workshop of the global cross-border privacy rules forum in London this week. The CBPR system is one of the few existing operational mechanisms that, by design, aims to facilitate data flows on a global scale.
World-class research requires world-class data, but right now many scientists are reluctant to get the data they need to get on with their research, for the simple reason that they do not know how research is defined. They can also be stopped in their tracks if they try to broaden their research or follow a new and potentially interesting avenue. When that happens, they can be required to go back and seek permission all over again, even though they have already gained that permission earlier to use personal data. We do not think that makes sense. The pandemic showed that we cannot risk delaying discoveries that could save lives. Nothing should be holding us back from curing cancer, tackling disease or producing new drugs and treatments. This Bill will simplify the legal requirements around research so that scientists can work to their strengths with legal clarity on what they can and cannot do.
The Bill will also ensure that people benefit from the results of research by unlocking the potential of transformative technologies. Taking artificial intelligence as an example, we have recently published our White Paper: “AI regulation: a pro-innovation approach”. In the meantime, the Bill will ensure that organisations know when they can use responsible automated decision making and that people know when they can request human intervention where those decisions impact their lives, whether that means getting a fair price for the insurance they receive after an accident or a fair chance of getting the job they have always wanted.
I spoke earlier about the currency of trust and how, by maintaining it through high data protection standards, we are likely to see more data sharing, not less. Fundamental to that trust will be confidence in the robustness of the regulator. We already have a world-leading independent regulator in the Information Commissioner’s Office, but the ICO needs to adapt to reflect the greater role that data now plays in our lives alongside its strategic importance to our economic competitiveness. The ICO was set up in the 1980s for a completely different world, and the pace, volume and power of the data we use today has changed dramatically since then.
It is only right that we give the regulator the tools it needs to keep pace and to keep our personal data safe while ensuring that, as an organisation, it remains accountable, flexible and fit for the modern world. The Bill will modernise the structure and objectives of the ICO. Under this legislation, protecting our personal data will remain the ICO’s primary focus, but it will also be asked to focus on how it can empower businesses and organisations to drive growth and innovation across the UK, and support public trust and confidence in the use of personal data.
The Bill is also important for consumers, helping them to share less data while getting more product. It will support smart data schemes that empower consumers and small businesses to make better use of their own data, building on the extraordinary success of open banking tools offered by innovative businesses, which help consumers and businesses to manage their finances and spending, track their carbon footprint and access credit.
Jim Shannon (Strangford) (DUP)
The Minister always delivers a very solid message and we all appreciate that. In relation to the high data protection standards that she is outlining, there is also a balance to be achieved when it comes to ensuring that there are no unnecessary barriers for individuals and businesses. Can she assure the House that that will be exactly what happens?
Julia Lopez
I am always happy to take an intervention from the hon. Member. I want to assure him that we are building high data protection standards that are built on the fundamental principles of the GDPR, and we are trying to get the right balance between high data protection standards that will protect the consumer and giving businesses the flexibility they need. I will continue this conversation with him as the Bill passes through the House.
Mike Amesbury (Weaver Vale) (Lab)
I thank the Minster for being so generous with her time. With regard to the independent commissioner, the regulator, who will set the terms of reference? Will it be genuinely independent? It seems to me that a lot of power will fall on the shoulders of the Secretary of State, whoever that might be in the not-too-distant future.
Julia Lopez
The Secretary of State will have greater powers when it comes to some of the statutory codes that the ICO adheres to, but those powers will be brought to this House for its consent. The whole idea is to make the ICO much more democratically accountable. I know that concern about the independence of the regulator has been raised as we have been working up these proposals, but I wish to assure the House that we do not believe those concerns to be justified or legitimate. The Bill actually has the strong support of the current Information Commissioner, John Edwards.
The Bill will also put in place the foundations for data intermediaries, which are organisations that can help us to benefit from our data. In effect, we will be able to share less sensitive data about ourselves with businesses while securing greater benefits. As I say, one of the examples of this is open banking. Another way in which the Bill will help people to take back control of their data is by making it easier and more secure for people to prove things about themselves once, electronically, without having to dig out stacks of physical documents such as passports, bills, statements and birth certificates and then having to provide lots of copies of those documents to different organisations. Digital verification services already exist, but we want consumers to be able to identify trustworthy providers by creating a set of standards around them.
The Bill is designed not just to boost businesses, support scientists and deliver consumer benefits; it also contains measures to keep people healthy and safe. It will improve the way in which the NHS and adult social care organise data to deliver crucial health services. It will let the police get on with their jobs by allowing them to spend more time on the beat rather than on pointless paperwork. We believe that this will save up to 1.5 million hours of police time each year—
Julia Lopez
I know that my hon. Friend has been passionate on this point, and we are looking actively into her proposals.
We are also updating the outdated system of registering births and deaths based on paper processes from the 19th century.
Data has become absolutely critical for keeping us healthy, for keeping us safe and for growing an economy with innovative businesses, providing jobs for generations to come. Britain is at its best when its businesses and scientists are at theirs. Right now, our rules risk holding them back, but this Bill will change that because it was co-designed with those businesses and scientists and with the help of consumer groups. Simpler, easier, clearer regulation gives the people using data to improve our lives the certainty they need to get on with their jobs. It maintains high standards for protecting people’s privacy while seeking to maintain our adequacy with the EU. Overall, this legislation will make data more useful for more people and more usable by businesses, and it will enable greater innovation by scientists. I commend the Bill to the House.
Lucy Powell (Manchester Central) (Lab/Co-op)
It is good finally to get the data Bill that was promised so long ago. We nearly got there in the halcyon days of September 2022, under the last Prime Minister, after it had been promised by the Prime Minister before. However, the Minister has a strong record of bringing forward and delivering things that the Government have long promised. I also know that she has another special delivery coming soon, which I very much welcome and wish her all the best with. She took a lot of interventions and I commend her for all that bobbing up and down while so heavily pregnant. I would also like to send my best wishes to the Secretary of State, who let me know that she could not be here today. I would also like to wish her well with her imminent arrival. There is lots of delivery going on today.
We are in the midst of a digital and data revolution, with data increasingly being the most prized asset and fundamental to the digital age, but this Bill, for all its hype, fails to meet that moment. Even since the Bill first appeared on the Order Paper last September, AI chatbots have become mainstream, TikTok has been fined for data breaches and banned from Government devices, and AI image generators have fooled the world into thinking that the Pope had a special papal puffer coat. The world, the economy, public services and the way we live and communicate are changing fast. Despite these revolutions, this data Bill does not rise to the challenges. Instead, it tweaks around the edges of GDPR, making an already dense set of privacy rules even more complex.
The UK can be a global leader in the technologies of the future. We are a scientific superpower, we have some of the world’s best creative industries and now, outside the two big trading blocs, we could have the opportunities of nimbleness and being in the vanguard of world-leading regulation. In order to harness that potential, however, we need a Government who are on the pitch, setting the rules of the game and ensuring that the benefits of new advances are felt by all of us and not just by a handful of companies. The Prime Minister can tell us again how much he loves maths, but without taking the necessary steps to support the data and digital economy, his sums just do not add up.
The contents of this Bill might seem technical—as drafted, they are incredibly technical—but they matter greatly to every business, consumer, citizen and organisation. As such, data is a significant source of power and value. It shapes the relationship between business and consumers, between the state and citizens, and much, much more. Data information is critical to innovation and economic growth, to modern public services, to democratic accountability and to transforming societies, if harnessed and shaped in the interest of the many, not simply the few—pretty major, I would say.
Now we have left the EU, the UK has an opportunity to lead the world in this area. The next generation of world-leading regulation could allow small businesses and start-ups to compete with the monopolies in big tech, as we have already heard. It could foster a climate of open data, enable public services to use and share data for improved outcomes, and empower consumers and workers to have control over how their data is used. In the face of this huge challenge, the Bill is at best a missed opportunity, and at worst adds another complicated and uncertain layer of bureaucracy. Although we do not disagree with its aims, there are serious questions about whether the Bill will, in practice, achieve them.
Data reform and new regulation are welcome and long overdue. Now that we have left the EU, we need new legislation to ensure that we both keep pace with new developments and make the most of the opportunities. The Government listened to some of the concerns raised in response to the consultation and removed most of the controversial and damaging proposals. GDPR has been hard to follow for some businesses, especially small businesses and start-ups, so streamlining and simplifying data protection rules is a welcome aim. However, we will still need some of them to meet EU data adequacy rules.
The aim of shifting away from tick-box exercises towards a more proactive and systematic approach to regulation is also good. Better and easier data sharing between public services is essential, and some of the changes in that area are welcome, although we will need assurances that private companies will not benefit commercially from personal health data without people’s say so. Finally, nobody likes nuisance calls or constant cookie banners, and the moves to reduce or remove them are welcome, although there are questions about whether the Bill lives up to the rhetoric.
In many areas, however, the Bill threatens to take us backwards. First, it may threaten our ability to share data with the EU, which would be seriously bad for business. Given the astronomical cost to British businesses should data adequacy with the EU be lost, businesses and others are rightly looking for more reassurances that the Bill will not threaten these arrangements. The EU has already said that the vast expansion of the Secretary of State’s powers, among other things, may put the agreement in doubt. If this were to come to pass, the additional burdens on any business operating within the EU, even vaguely, would be enormous.
British businesses, especially small businesses, have faced crisis after crisis. Many only just survived through covid and are now facing rising energy bills that threaten to push them over the edge. According to the Information Commissioner,
“most organisations we spoke to had a plea for continuity.”
The Government must go further on this.
Secondly, the complex new requirements in this 300-page Bill threaten to add more hurdles, rather than streamlining the process. Businesses have serious concerns that, having finally got their head around GDPR, they will now have to comply with both GDPR and all the new regulations in this Bill. That is not cutting red tape, in my view.
Thirdly, the Bill undermines individual rights. Many of the areas in which the Bill moves away from GDPR threaten to reduce protection for citizens, making it harder to hold to account the big companies that process and sell our data. Subject access requests are being diluted, as the Government are handing more power to companies to refuse such requests on the grounds of being excessive or vexatious. They are tilting the rules in favour of the companies that are processing our data. Data protection impact assessments will no longer be needed, and protections against automated decision making are being weakened.
Rebecca Long Bailey
AlgorithmWatch explains that automated decision making is “never neutral.” Outputs are determined by the quality of the data that is put into the system, whether that data is fair or biased. Machine learning will propagate and enhance those differences, and unfortunately it already has. Is my hon. Friend concerned that the Bill removes important GDPR safeguards that protect the public from algorithmic bias and discrimination and, worse, provides Henry VIII powers that will allow the Secretary of State to make sweeping regulations on whether meaningful human intervention is required at all in these systems?
Lucy Powell
My hon. Friend makes two very good points, and I agree with her on both. I will address both points in my speech.
Taken together, these changes, alongside the Secretary of State’s sweeping new powers, will tip the balance away from individuals and workers towards companies, which will be able to collect far more data for many more purposes. For example, the Bill could have a huge impact on workers’ rights. There are ever more ways of tracking workers, from algorithmic management to recruitment by AI. People are even being line managed by AI, with holiday allocation, the assignment of roles and the determination of performance being decided by algorithm. This is most serious when a low rating triggers discipline or dismissal. Transparency and accountability are particularly important given the power imbalance between some employers and workers, but the Bill threatens to undermine them.
If a person does not even know that surveillance or algorithms are being used to determine their performance, they cannot challenge it. If their privacy is being infringed to monitor their work, that is a harm in itself. If a worker’s data is being monetised by their company, they might not even know about it, let alone see a cut. The Bill, in its current form, undermines workers’ ability to find out what data is held about them and how it is being used. The Government should look at this again.
The main problem, however, is not what is in the Bill but, rather, what is not. Although privacy is, of course, a key issue in data regulation, it is not the only issue. Seeing regulation only through the lens of privacy can obscure all the ways that data can be used and can impact on communities. In modern data processing, our data is not only used to make decisions about us individually but pooled together to analyse trends and predict behaviours across a whole population. Using huge amounts of data, companies can predict and influence our behaviour. From Netflix recommendations to recent examples of surge pricing in music and sports ticketing, to the monitoring of covid outbreaks, the true power of data is in how it can be analysed and deployed. This means the impact as well as the potential harms of data are felt well beyond the individual level.
Moreover, as we heard from my hon. Friend the Member for Salford and Eccles (Rebecca Long Bailey), the algorithms that analyse data often replicate and further entrench society’s biases. Facial recognition that is trained on mostly white faces will more likely misidentify a black face—something that I know the parliamentary channel sometimes struggles with. AI language bots produce results that reflect the biases and limitations of their creators and the data on which they are trained. This Bill does not take on any of these community and societal harms. Who is responsible when the different ways of collecting and using data harm certain groups or society as a whole?
As well as the harms, data analytics offers huge opportunities for public good, as we have heard. Opening up data can ensure that scientists, public services, small businesses and citizens can use data to improve all our lives. For example, Greater Manchester has, over the years, linked data across a multitude of public services to hugely improve our early years services, but this was done entirely locally and in the face of huge barriers. Making systems and platforms interoperable could ensure that consumers can switch services to find the best deal, and it could support smaller businesses to compete with existing giants.
Establishing infrastructure such as a national research cloud and data trusts could help small businesses and not-for-profit organisations access data and compete with the giants. Citymapper is a great example, as it used Transport for London’s open data to build a competitor to Google Maps in London. Open approaches to data will also provide better oversight of how companies use algorithms, and of the impact on the rest of us.
Finally, where are the measures to boost public trust? After the debacle of the exam algorithms and the mishandling of GP data, which led millions of people to withdraw their consent, and with workers feeling the brunt but none of the benefits of surveillance and performance management, we are facing a crisis in public trust. Rather than increasing control over and participation in how our data is used, the Bill is removing even the narrow privacy-based protections we already have. In all those regards, it is a huge missed opportunity.
To conclude, with algorithms increasingly making important decisions about how we live and work, data protection has become ever more important to ensure that people have knowledge, control, confidence and trust in how and why data is being used. A data Bill is needed, but we need one that looks towards the future and harnesses the potential of data to grow our economy and improve our lives. Instead, this piecemeal Bill tinkers around the edges, weakens our existing data protection regime and could put our EU adequacy agreement at risk. We look forward to addressing some of those serious shortcomings in Committee.
Sir John Whittingdale (Maldon) (Con)
I welcome the Bill. I am delighted that it finally takes advantage of one of the freedoms that has resulted from our leaving the European Union, which I supported at the time and continue to support. As has been indicated, the Bill has had a long gestation. I was the Minister at the time of the issue of the consultation paper in September 2021 and the Bill first appeared a year later. As the Opposition spokesman pointed out, a small hiccup delayed it a bit further.
Our current data protection laws originate almost entirely from the EU and are based on GDPR. Before the adoption of GDPR in 2016, the UK Government opposed parts of it. I recall that the assessment at the time was that, although there were benefits to larger companies, there would be substantial costs for smaller firms and indeed that has been borne out. There was a debate in government about whether we should oppose the GDPR regulation when it was going through the process of the Commission formation. As so often was the case in the EU, we were advised that, if we opposed that, we would lose vital leverage and our ability to influence its development. Whether we were able then to influence its development is arguable, but it was decided that we should not outright oppose it. However, it has always been clear that the one-size-fits-all GDPR that currently is in place imposes significant costs on smaller firms. When we had the consultation in 2021, smaller firms in particular complained about the complexity of GDPR, and the uncertainty and cost that it imposed. Clearly, there was seen to be an opportunity to streamline it—not to remove it, but to make it simpler and more understandable, and to reduce some of the burdens it imposes. We now have that opportunity to diverge.
The other thing that came back from the consultation—I agree with the Opposition Members who have raised this point—was that there is an advantage in the UK’s retaining data adequacy with the EU. It was not taken for granted that we would get data adequacy. A lengthy negotiation with the EU took place before a data adequacy agreement was reached. As part of that process, officials rightly looked at what alternative there would be, should we not be granted data adequacy. It became clear that there are ways around it. Standard contractual clauses and alternative transfer mechanisms would allow companies to continue to exchange data. It would be a little more complicated. They would need to write the clauses into contracts. For that reason, there was clearly a value in having a general data adequacy agreement, but one should not think that the loss of data adequacy would be a complete disaster because, as I say, there are ways around it.
The Government are right to look at additional adequacy agreements with countries outside the EU, because therein lies a great opportunity. The EU has managed to conclude some, but not that many, and the Government have rightly identified a number of target countries where we see benefits from achieving data adequacy agreements. It is perfectly possible for us to diverge to a limited extent from GDPR and still retain adequacy. Notably, the EU recognises New Zealand’s regime as being adequate, even though New Zealand’s data protection laws are different from those of the EU. The fact that we decided to appoint the former New Zealand Information Commissioner as our own Information Commissioner means that he brings a particular degree of knowledge about that, which will be very useful.
In considering data protection law, it is sometimes said that there is a conflict between privacy—the right of consumers to have protection of their data—and the innovation and growth opportunities of technology companies. I do not believe that that is true; the two things have to be integral parts of our data protection laws. If people believe that their privacy is at risk, they will not trust the exchange of data. One problem is that, in general, people read only about the problems that arise, particularly from things such as identity theft, hacks and the loss of data as a result of people leaving memory sticks on phones or of cyber-criminals hacking into large databases and taking all their financial information. All those things are a genuine risk, but they present only one side of the picture and, in general, people reach their view about the importance of data protection according to all the risk, without necessarily seeing the real benefits that come from the free exchange of data. That was perhaps the lesson that covid showed us more than any other: by allowing the exchange of data, it allowed us to develop and research vaccines. We were able to research what worked in terms of prevention and the various measures that could be taken to protect consumers from getting covid. Therefore, covid was the big demonstration of the fact that data exchange can bring real benefits to all consumers. We are just on the threshold—
John Penrose
Further to my right hon. Friend’s point about facilitating a trusted mechanism for sharing data, does he agree that the huge global success of open banking in this country has demonstrated that a trust framework not only makes people much more willing to exchange their data but frees up the economy and creates a world-leading sector at the same time?
Sir John Whittingdale
I agree with my hon. Friend on that. The use of smart data in open banking demonstrates the benefits that can flow from its use, and that example could be replicated in a large number of other sectors to similar benefit. I hope that that will be one benefit that will eventually flow from the changes we are making.
As I say, we are on the threshold of an incredibly exciting time. The use of artificial intelligence and automated decision making will bring real consumer benefits, although, of course, safeguards must be built in. The question of algorithmic bias was looked at by the Centre for Data Ethics and Innovation and there was evidence there. Obviously, we need to take account of that and build in protections against it, but, in general, the opportunities that can flow from making data more easily available are enormous.
I wish to flag up a couple of things. People have long found pop-up banner cookies deeply irritating. They have become self-defeating, because they are so ubiquitous that everybody just presses “yes”. The whole point of them was to acquire informed consent, but that is undermined if everybody is confronted by these things every time they log on to the internet and they automatically press “yes” without properly reading what they are consenting to. Restricting them to cookies that represent intrusive acquisition of data and explaining that to people and requiring consent is clearly an improvement. That will not only make data exchange easier but increase consumer protection, as people will know that they are being asked to give consent because they may choose not to allow their data to be used.
I understand the concerns that have been expressed about the Bill in some areas, particularly about the powers that will be given to the Secretary of State, but this is a complicated area. It is also one where technology is moving very fast. We need flexible legislation to keep up to date with the development of technology, so, to some extent, secondary legislation is probably the right way forward. We will debate these matters in Committee, but, generally, the Bill will help to deliver the Government’s declared intention, which is to make the UK the most successful data-driven technology economy in the world.
Carol Monaghan (Glasgow North West) (SNP)
We can all agree that the free flow of personal data across borders is essential to the economy, not just within the UK but with other countries, including our biggest trading partner, the EU. Reforms to our data protection framework must have appropriate safeguards in place to ensure that we do not put EU-UK data flows at risk.
Despite the Government’s promises of reforms to empower people in the use of their data, the Bill instead threatens to undermine privacy and data protection. It potentially moves the UK away from the “adequacy” concept in the EU GDPR, and gives weight to the idea that different countries can maintain data protection standards in different but equally effective ways. The only way that we can properly maintain standards is by having a standard across the different trading partners, but the Bill risks creating a scenario where the data of EU citizens could be passed through the UK to countries with which the EU does not have an agreement. The changes are raising red flags in Europe. Many businesses have spoken out about the negative impacts of the Bill’s proposals. Many of them will continue to set their controls to EU standards and operate on EU terms to ensure that they can continue to trade there.
According to conservative estimates, the loss of the adequacy agreement could cost £1.6 billion in legal fees alone. That figure does not include the cost resulting from disruption of digital trade and investments. The Open Rights Group says:
“Navigating multiple data protection regimes will significantly increase costs and create bureaucratic headaches for businesses.”
Although I understand that the Bill is an attempt to reduce the bureaucratic burden for businesses, we are now potentially asking those businesses to operate with two different standards, which will cause them a bigger headache. It would be useful if the Government confirmed that they have sought legal advice on the adequacy impact of the Bill, and that they have confirmed with EU partners that the EU is content that the Bill and its provisions will not harm EU citizens or undermine the trade and co-operation agreement with the EU.
Several clauses of the Bill cause concern. We need more clarity on those that expand the powers of the Home Secretary and the police, and we will require much further discussion on them in Committee. Given what has been revealed over the past few months about the behaviour of some members of the Metropolitan police, there are clauses in the Bill that should cause us concern. A national security certificate that would give the police immunity when they commit crimes by using personal data illegally would cause quite a headache for many of us. The Government have not tried to explain why they think that police should be allowed to operate in the darkness, which they must now rectify if they are to improve public trust.
The Bill will also expand what counts as an “intelligence service” for the purposes of data protection law, again at the Home Secretary's discretion. The Government argue that this would create a “simplified” legal framework, but, in reality, it will hand massive amounts of people’s personal information to the police. This could include the private communications as well as information about an individual’s health, political belief, religious belief or sex life.
The new “designation notice” regime would not be reviewable by the courts, so Parliament might never find out how and when the powers have been used, given that there is no duty to report to Parliament. The Home Secretary is responsible for both approving and reviewing designation notices, and only a person who is “directly affected” by a such a notice will be able to challenge it, yet the Home Secretary would have the power to keep the notice secret, meaning that even those affected would not know it and therefore could not possibly challenge it.
These are expansive broadenings of the powers not only of the Secretary of State, but of the police and security services. If the UK Government cannot adequately justify these powers, which they have not done to date, they must be withdrawn or, at the very least, subject to meaningful parliamentary oversight.
Far from giving people greater power over their data, the Bill will stop the courts, Parliament and individuals from challenging illegal uses of data. Under the Bill, organisations can deny or charge a fee to individuals for the right to access information. The right hon. Member for New Forest East (Sir Julian Lewis) mentioned the difficulty he had with a constituent. I think we can all have some sympathy with that, because many of us have probably experienced similar requests from members of the public. However, it is the public’s right to have access to the data that we hold. If an organisation decides that these requests are “vexatious or excessive”, they can refuse them, but what is “vexatious or excessive”? These words are vague and open to interpretation. Moreover, charging a fee will create a barrier for some people, particularly those on lower incomes, and effectively restricts control of data to more affluent citizens.
The Bill changes current rules that prevent companies and the Government from making solely automated decisions about individuals that could have legal or other significant effects on their lives. We have heard a lot about the potential benefits of AI and how it could be used to enhance our lives, but for public trust and buy-in of AI, we need to know that there is some oversight. Without that, there will always be a question hanging over it. The SyRI case in the Netherlands involved innocuous datasets such as household water usage being used by an automated system to accuse individuals of benefit fraud.
The Government consultation response acknowledges that, for respondents,
“the right to human review of an automated decision was a key safeguard”.
But despite the Government acknowledging the importance of a human review in an automated decision, clause 11, if implemented, would mean that solely automated decision making is permitted in a wider range of contexts. Many of us get excited about AI, but it is important to acknowledge that AI still makes mistakes.
The Bill will allow the Secretary of State to approve international transfers to countries with weak data protection, so even if the Bill does not make data security in the UK weaker, it will weaken the protections of UK citizens’ data by allowing it to be transferred abroad in cases with lower safeguards.
It is useful to hear a couple of stakeholder responses. The Public Law Project has said:
“The Data Protection and Digital Information (No.2) Bill would weaken important data protection rights and safeguards, making it more difficult for people to know how their data is being used”.
The Open Rights Group has said:
“The government has an opportunity to strengthen the UK’s data protection regime post Brexit. However, it is instead setting the country on a dangerous path that undermines trust, furthers economic instability, and erodes fundamental rights.”
Since we are talking about a Bill under the Department for Science, Innovation and Technology, it is important to hear from the Royal Society, which says that losing adequacy with the EU would be damaging for scientific research in the UK, creating new costs and barriers for UK-EU research collaborations. While the right hon. Member for Maldon (Sir John Whittingdale) is right about the importance of being able to share data, particularly scientific data—and we understand the importance of that for things such as covid vaccines—we need to make sure this Bill does not set up further hurdles that could prevent that.
There is probably an awful lot for us to thrash out in Committee. The SNP will not vote against Second Reading tonight, but I appeal to those on the Government Front Bench to give an opportunity for hon. Members to amend and discuss this Bill properly in Committee.
Damian Collins (Folkestone and Hythe) (Con)
I am delighted to speak in support of this long-awaited Bill. It is a necessary piece of legislation to learn the lessons from GDPR and look at how we can improve the system, both to make it easier for businesses to work with and to give users and citizens the certainty they need about how their data will be processed and used.
In bringing forward new measures, the Bill in no way suggests that we are looking to move away from our data adequacy agreements with the European Union. Around the world, in north America, Europe, Australia and elsewhere in the far east, we see Governments looking at developing trusted systems for sharing and using data and for allowing businesses to process data across international borders, knowing that those systems may not be exactly the same, but they work to the same standards and with similar levels of integrity. That is clearly the direction that the whole world wants to move in and we should play a leading role in that.
I want to talk briefly about an important area of the Bill: getting the balance between data rights and data safety and what the Bill refers to as the “legitimate interest” of a particular business. I should also note that this Bill, while important in its own right, sits alongside other legislation—some of it to be introduced in this Session and some of it already well on its way through the Parliamentary processes—dealing with other aspects of the digital world. The regulation of data is an aspect of digital regulation; it is in some ways the fuel that powers the digital experience and is relevant to other areas of digital life as well.
To take one example, we have already established and implemented the age-appropriate design code for children, which principally addresses the way data is gathered from children online and used to design services and products that they use. As this Bill goes through its parliamentary stages, it is important that we understand how the age-appropriate design code is applied as part of the new data regime, and that the safeguards set out in that code are guaranteed through the Bill as well.
There has been a lot of debate, as has already been mentioned, about companies such as TikTok. There is a concern that engineers who work for TikTok in China, some of whom may be members of the Chinese Communist party, have access to UK user data that may not be stored in China, but is accessed from China, and are using that data to develop products. There is legitimate concern about oversight of that process and what that data might be used for, particularly in a country such as China.
However, there is also a question about data, because one reason the TikTok app is being withdrawn from Government devices around the world is that it is incredibly data-acquisitive. It does not just analyse how people use TikTok and from that create data profiles of users to determine what content to recommend to them, although that is a fundamental part of the experience of using it; it is also gathering, as other big apps do, data from what people do on other apps on the same device. People may not realise that they have given consent, and it is certainly not informed consent, for companies such as TikTok to access data from what they do on other apps, not just when they are TikTok.
It is a question of having trusted systems for how data can be gathered, and giving users the right to opt out of such data systems more easily. Some users might say, “I’m quite happy for TikTok or Meta to have that data gathered about what I do across a range of services.” Others may say, “No, I only want them to see data about what I do when I am using their particular service, not other people’s.”
The Online Safety Bill is one of the principal ways in which we are seeking to regulate AI now. There is debate among people in the tech sectors; a letter was published recently, co-signed by a number of tech executives, including Elon Musk, to say that we should have a six-month pause in the development of AI systems, particularly for large language models. That suggests a problem in the near future of very sophisticated data systems that can make decisions faster than a human can analyse them.
People such as Eric Schmidt have raised concerns about AI in defence systems, where an aggressive system could make decisions faster than a human could respond to them, to which we would need an AI system to respond and where there is potentially no human oversight. That is a frightening scenario in which we might want to consider moratoriums and agreements, as we have in other areas of warfare such as the use of chemical weapons, that we will not allow such systems to be developed because they are so difficult to control.
If we look at the application of that sort of technology closer to home and some of the cases most referenced in the Online Safety Bill, for example the tragic death of the teenager Molly Russell, we see that what was driving the behaviour of concern was data gathered about a user to make recommendations to that person that were endangering their life. The Online Safety Bill seeks to regulate that practice by creating codes and responsibilities for businesses, but that behaviour is only possible because of the collection of data and decisions made by the company on how the data is processed.
This is where the Bill also links to the Government’s White Paper on AI, and this is particularly important: there must be an onus on companies to demonstrate that their systems are safe. The onus must not just be on the user to demonstrate that they have somehow suffered as a consequence of that system’s design. The company should have to demonstrate that they are designing systems with people’s safety and their rights in mind—be that their rights as a worker and a citizen, or their rights to have certain safeguards and protections over how their data is used.
Companies creating datasets should be able to demonstrate to the regulator what data they have gathered, how that data is being trained and what it is being used for. It should be easy for the regulator to see and, if the regulator has concerns up-front, it should be able to raise them with the company. We must try to create that shift, particularly on AI systems, in how systems are tested before they are deployed, with both safety and the principles set out in the legislation in mind.
Kit Malthouse
My hon. Friend makes a strong point about safety being designed, but a secondary area of concern for many people is discrimination—that is, the more data companies acquire, the greater their ability to discriminate. For example, in an insurance context, we allow companies to discriminate on the basis of experience or behaviour; if someone has had a lot of crashes or speeding fines, we allow discrimination. However, for companies that process large amounts of data and may be making automated decisions or otherwise, there is no openly advertised line of acceptability drawn. In the future it may be that datasets come together that allow extreme levels of discrimination. For example, if they linked data science, psychometrics and genetic data, there is the possibility for significant levels of discrimination in society. Does he think that, as well as safety, we should be emphasising that line in the sand?
Damian Collins
My right hon. Friend makes an extremely important point. In some ways, we have already seen evidence of that at work: there was a much-talked-about case where Amazon was using an AI system to aid its recruitment for particular roles. The system noticed that men tended to be hired for that role and therefore largely discarded applications from women, because that was what the data had trained it to do. That was clear discrimination.
There are very big companies that have access to a very large amount of data across a series of different platforms. What sort of decisions or presumptions can they make about people based on that data? On insurance, for example, we would want safeguards in place, and I think that users would want to know that safeguards are in place. What does data analysis of the way in which someone plays a game such as Fortnite—where the company is taking data all the time to create new stimuli and prompts to encourage lengthy play and the spending of money on the game—tell us about someone’s attitude towards risk? Someone who is a risk taker might be a bad risk in the eyes of an insurance company. Someone who plays a video game such as Fortnite a lot and sees their insurance premiums affected as a consequence would think, I am sure, that that is a breach of their data rights and something to which they have not given any informed consent. But who has the right to check? It is very difficult for the user to see. That is why I think the system has to be based on the idea that the onus must rest on the companies to demonstrate that what they are doing is ethical and within the law and the established guidelines, and that it is not for individual users always to demonstrate that they have somehow suffered, go through the onerous process of proving how that has been done, and then seek redress at the end. There has to be more up-front responsibility as well.
Finally, competition is also relevant. We need to safeguard against the idea of a walled garden for data meaning that companies that already have massive amounts of data, such as Google, Amazon and Meta, can hang on to what they have, while other companies find it difficult to build up meaningful datasets and working sets. When I was Chairman of the then Digital, Culture, Media and Sport Committee, we considered the way in which Facebook, as it then was, kicked Vine—a short-form video sharing app—off its platform principally because it thought that that app was collecting too much Facebook user data and was a threat to the company. Facebook decided to deny that particular business access to the Facebook platform. [Interruption.] I see that the Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Sutton and Cheam (Paul Scully), is nodding in an approving way. I hope that he is saying silently that that is exactly what the Bill will address to ensure that we do not allow companies with big strategic market status to abuse their market power to the detriment of competitive businesses.
Darren Jones (Bristol North West) (Lab)
I refer the House to my entry in the Register of Members’ Financial Interests.
The Bill has had a curious journey. It started life as the Data Protection and Digital Information Bill, in search of the exciting Brexit opportunities that we were promised, only to have died and then arisen as the Data Protection and Digital Information (No 2) Bill. In the Bill’s rejuvenated—and, dare I say, less exciting—form, Ministers have rightly clawed back some of the most high-risk proposals of its previous format, recognising, of course, that our freedom from the European Union, at least in respect of data protection, is anything but. We may have left the European Union, but data continues to flow between the EU and the United Kingdom, and that means of course that we must keep the European Commission happy to maintain our adequacy decision. For the most part, the Bill does not therefore represent significant change from the existing GDPR framework. There are some changes to paperwork and the appointment of officers, but nothing radical.
With that settled—at least in my view—the question is this: what is the purpose of this Bill? The Government aim to reduce regulatory burdens on business. To give Ministers credit, according to the independent assessment of the Regulatory Policy Committee, they have adequately set out how that will happen—unlike for other Government Bills in recent weeks. I congratulate the Government on their so-called “co-design” with stakeholders, which other Departments could learn from in drafting legislation. But the challenge in reducing business regulation and co-designing legislation with stakeholders is knowing how much of an influence the largest, most wealthy voices have over the smallest, least influential voices.
In this Bill—and, I suspect, in the competition Bill as its relates to the digital markets unit, and, if rumours are correct, the media Bill—that means the difference between the voice of big tech and the voice of the people. If reports are correct, I share concerns about the current influence of big tech specifically on Downing Street and about the amount of interference by No. 10 in the drafting of legislation in the Department. [Interruption.] Ministers are shaking their heads; I am grateful for the clarification. I am sure that the reporters at Politico are watching.
Research is a good example of a concern in the Bill relating to the balance between big tech and the people. When I was on the pre-legislative committee of the Online Safety Bill—on which I enjoyed working with the hon. Member for Folkestone and Hythe (Damian Collins), who spoke before me—everybody recognised the need for independent academics to have access to data from, the social media companies, for example, to help us understand the harms that can come from using social media. The Europeans have progressed that in their EU Digital Services Act, and even the Americans are starting to look at legislation in that area. But in the Bill, Ministers have not only failed to provide this access, but have opted instead to give companies the right to use our data to develop their own products. That means in practice that companies can now use the data they have on us to understand how to improve their products, primarily and presumably so that we use them more or—for companies that rely on advertising income—to increase our exposure to advertising, in order to create more profit for the company.
All that is, we are told, in the name of scientific research. That does not feel quite right to me. Why might Ministers have decided that that was necessary—a public policy priority—or that it is in any way in the interests of our constituents for companies to be able to do corporate research on product design without our explicit consent, instead of giving independent academics the right to do independent research about online harms, for example? The only conclusion I can come to is that it is because Ministers were, in the co-design process, asked by big tech to allow big tech to do that. I am not sure that consumers would have agreed, and that seems to be an example of big tech winning out in the Bill.
The second example relates to consumer rights and the ability of consumers to bring complaints and have them dealt with in a timely manner. Clause 7 allows for unreasonable delays by companies or data controllers, especially those that have the largest quantities of data on consumers. In practice, that once again benefits big tech, which holds the most data. The time that it can take to conclude a complaint under the Bill is remarkably long and will merely act as a disincentive to bringing a complaint in the first place.
It can take up to two months for a consumer or data subject to request access to the data that a company holds on them, then another two months for the company to confirm whether a complaint will be accepted. If a complaint is not accepted, there will then be up to another six months for the Information Commissioner to decide whether the complaint should be accepted, and if the Information Commissioner does decide that, the company then has one more month to provide the data, which was originally asked for nine months earlier. The consumer can then look at the data and put in a complaint to the company. If the company does not deal with the complaint, the earliest that the consumer can complain to the Information Commissioner is month 14, and the Information Commissioner will then have up to six months to resolve the complaint. All in all, that is up to 20 months of emails, forms, processes and decisions from multiple parties for an individual consumer to have a complaint considered and resolved.
That lengthy and complex complaints process also highlights the risks associated with the provisions in the Bill relating to automated decision making. Under current law, fully autonomous decision making is prohibited where it relates to a significant decision, but the Bill relaxes those requirements and ultimately puts the burden on a consumer to successfully bring a complaint against a company taking a decision about them in a wholly automated way. Will an individual consumer really do that when it could take up to 20 months? In the world we live in today, the likes of Chat GPT and other large language models will revolutionise customer service processes. The approach in the Bill seems to fail in regulating for the future and, unfortunately, deals with the past. I ask again: which stakeholder group asked the Government to draft the law in this complex and convoluted way? It certainly was not consumers.
In other regulated sectors and areas of law, such as consumer law, we allow representative bodies to bring what the Americans call “class actions” on behalf of groups of consumers whose rights have been infringed. That process is perfectly normal and exists in UK law today. Experience shows that representative bodies such as Citizens Advice and Which? do not bring class actions easily because it is too financially risky. They therefore bring an action only when there is a clear and significant breach. So why have Ministers not allowed for those powers to exist for breaches of data protection law in the same way that the European Union has, when we are very used to them existing in UK law? Again, that feels like another win for big tech and a loss for consumers. Reducing unnecessary compliance burdens on business is of course welcome, but the Government seem to have forgotten that data protection law is based on a foundation of protecting the consumer, not being helpful to business.
On a different subject, I highlight once again the ongoing creep of powers being taken from Parliament and given to the Executive. We have already heard about the powers for the Secretary of State to make amendments to the legislation without following a full parliamentary process. That keeps happening—not just in this Bill but in other Bills this Session, including the Online Safety Bill. My Committee, which has whole-of-Government scrutiny powers in relation to good regulation, has reprimanded the Department—albeit in its previous form—for the use of those Henry VIII powers. It is disappointing to see them in use again.
The Minister, in response to my hon. Friend the Member for Weaver Vale (Mike Amesbury), said that the Government had enhanced oversight of the Information Commissioner by giving themselves power to direct some of its legitimate interests or decisions, or the content of codes. I politely point out that the Information Commissioner regulates the Government’s use of our data. It seems odd to me that the Government alone are being given enhanced powers to scrutinise the Information Commissioner, and that Parliament has not been given additional oversight; that ought to be included.
The Government have yet to introduce any substantive legislation on biometrics. Biometric data is the most personal type of data, be it about our faces, our fingerprints, our voices or other characteristics that are personal to our bodies. The Bill does not even attempt to bring forward biometric-specific regulation. My private Member’s Bill in the 2019-21 Session—now the Forensic Science Regulator Act 2021—originally contained provisions for a biometrics strategy and associated regulations. At the then Minister’s insistence, I removed those provisions, having been told that the Government were drafting a more wide-ranging biometrics Bill, which we have not seen. That is especially important in the light of the Government’s artificial intelligence White Paper, as lots of AI is driven by biometric data. We have had some debate on the AI White Paper, but it warrants a whole debate, and I hope to secure a Westminster Hall debate on it soon. We need to fully understand the context of the AI White Paper as the Bill progresses through Committee and goes to the other place.
I am conscious that I have had an unusual amount of time, so I will finish by flagging two points, which I hope that the Parliamentary Under-Secretary of State for Science, Innovation and Technology will respond to in his summing-up. The first is the age-appropriate design code. I think that we all agree in this House that children should have more protection online than other users. The age-appropriate design code, which we all welcomed, is based on the foundation of GDPR. There are concerns that the changes in the Bill, including to the rights of the Secretary of State, could undermine the age-appropriate design code. I invite the Minister to reassure us, when he gets to the Dispatch Box, that the Government are absolutely committed to the current form of the age-appropriate design code, despite the changes in the Bill.
The last thing I invite the Minister to comment on is data portability. It will drive competition if companies are forced to allow us to download our data in a way that allows us to upload it to another provider. Say I wanted to move from Twitter to Mastodon; what if I could download my data from Twitter, and upload it to Mastodon? At the moment, none of the companies really allow that, although that was supposed to happen under GDPR. The result is that monopolies maintain their status and competitors struggle to get new customers. Why did the Government not bring forward provision for improved data portability in the Bill? To draw on a thread of my speech, I fear that it may be because that is not in the interests of big tech, though it is in the interests of consumers.
I doubt that I will be on the Bill Committee. I am sorry that I will not be there with colleagues who seem to have already announced that they will be on it, but I am sure that they will all consider the issues that I have raised.
Jane Hunt (Loughborough) (Con)
This Bill provides us with yet another opportunity to ensure that our legal and regulatory frameworks are tailored to our needs and specifications, now that we are free from the confines of EU law. It is crucial that we have a data rights regime that maintains the high data protection standards that the public expect, but it must do so in a way that is not overly burdensome to businesses and public services, and does not stifle innovation, growth and productivity. The Bill will go a long way to achieving that, but I would like to focus on one small aspect of it.
Announcing the First Reading of the Bill, the Secretary of State stated that it would improve
“the efficiency of data protection for law enforcement and national security partners encouraging better use of personal data where appropriate to help protect the public. It provides agencies with clarity on their obligations, boosting the confidence of the public on how their data is being used.”—[Official Report, 8 March 2023; Vol. 729, c. 20WS.]
That is a positive step forward for national security, but we are missing a crucial opportunity to introduce further reforms that will reduce administrative burdens on police forces across the UK.
I recently met members of the Leicestershire Police Federation, who informed me of the association’s concerns regarding part 3 of the Data Protection Act 2018. Specifically, the Police Federation is concerned about how the requirements of part 3 interact with the Crown Prosecution Service’s “Director’s Guidance on Charging”, which obliged the police to provide more information to the CPS pre-charge. That information includes unused material, digitally recovered material and third-party material, all of which must be redacted in accordance with the Data Protection Act.
Combined, the guidance’s requirements and the provisions of the Act represent a huge amount of administrative work for police officers, who would have to spend hours making the necessary redactions. Furthermore, much of that work may never be used by the CPS if no charge is brought, or the defendant pleads guilty before trial. Nationally, around 25% of cases submitted to the CPS result in no charge. This desk-based work would remove police officers from the frontline.
Picture the scene of an incident. Say that 10 police officers attend, all turning on their body cameras as they arrive. They deal with different aspects of the incident; they talk to a variety of people and take statements, standing in different positions that result in different backgrounds to the video footage and different side-conversations being captured. The lead officer then spends hours, if not days, redacting all the written data and video footage generated by all the officers, only for the redacted data to be sent to a perfectly trusted source, the CPS, which will not necessarily take the case forward.
The data protection Bill is meant to update and simplify the data protection framework used by bodies in the UK. The Bill refers to the work of the police in national security situations, but it should also cover their day-to-day work as a professional body. They should be able to share their data with the CPS, another professional body. Both have a legitimate interest in accessing and sharing the data collected. My hon. Friend the Minister for Data and Digital Infrastructure will know that this is an issue, as I have already raised it with her. I am very grateful for her considered response, and for the Government’s commitment to looking into this matter further, including in the context of this Bill, and at whether the Police Federation’s idea of a data bubble between the police service and the CPS is a workable solution.
I look forward to working with the Government on the issue. It is vital that we do what we can to ease the administrative burden on police officers, so that we can free up thousands of policing hours every year and get police back to the frontline, where they can support communities and tackle crime. Speaking of easing burdens, may I also take this opportunity to wish my hon. Friend the Minister the very best with the arrival that is expected in, I suspect, the none-too-distant future?
Daniel Zeichner (Cambridge) (Lab)
My interest in this debate comes from my representing a science and research city, where data, and transferring it, is key, and from my long-term background in information technology. Perhaps as a consequence of both, back in 2018 I was on the Bill Committee that had the interesting task of implementing GDPR, even though, as my hon. Friend the Member for Bristol North West (Darren Jones)—my good friend—pointed out at the time, none of us had the text in front of us. I think he perhaps had special access to it. In those long and complicated discussions, there were times when I was not entirely sure that anyone in the room fully gripped the complexity of the issues.
I recall that my right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne) persistently called for a longer-term vision that would meet the fast-changing challenges of the digital world, and Labour Members constantly noted the paucity of resources available to the Information Commissioner’s Office to deal with those challenges, notwithstanding yellow-vested people entering offices. Five years on, I am not sure that much has changed, because the Bill before us is still highly technical and detailed, and once again the key issues of the moment are being dodged.
I was struck by the interesting conversations on the Conservative Benches, which were as much about what was not being tackled by the Bill as what is being tackled —about the really hot issues that my hon. Friend the Member for Manchester Central (Lucy Powell) mentioned in her Front-Bench speech, such as ChatGPT and artificial intelligence. Those are the issues of the moment, and I am afraid that they are not addressed in the Bill. I make the exact point I made five years ago: there is the risk of hard-coding previous prejudice into future decision making. Those are the issues that we should be tackling.
I chair the all-party parliamentary group on data analytics, which is carrying out a timely review of AI governance. I draw Members’ attention to a report made by that group, with the help of my hon. Friend the Member for Bristol North West, called “Trust, Transparency and Technology”. It called for, among other things, a public services licence to operate, and transparent, standardised ethics and rules for public service providers such as universities, police, and health and care services, so that we can try to build the public confidence that we so need. We also called for a tough parliamentary scrutiny Committee, set up like the Public Accounts Committee or the Environmental Audit Committee, to make sure the public are properly protected. That idea still has strong resonance today.
I absolutely admit that none of this is easy, but there are two particular areas that I would like to touch on briefly. One, which has already been raised, is the obvious one of data adequacy. Again, I do not feel that the argument has really moved on that much over the years. Many of the organisations producing briefings for this debate highlight the risks, and back in 2018—as I think the right hon. Member for Maldon (Sir John Whittingdale) pointed out—there were genuine concerns that we would not necessarily achieve an adequacy agreement with the European Union. Frankly, it was always obvious that this was going to be a key point in future trade negotiations with the EU and others, and I am afraid that that is the way it has played out.
It is no surprise that adequacy is often a top issue, because it is so essentially important, but that of course means that we are weakened when negotiation comes to other areas. Put crudely, to get the data adequacy agreements we need, we are always going to be trading away something else, and while in my opinion the EU is always unlikely to withhold at the very end, the truth is that it can, and it could. That is a pretty powerful weapon. On the research issues, I would just like to ask the Minister whether, in summing up, he could comment on the concerns that were raised back in 2018 about the uncertainty for the research sector, and whether he is confident that what is proposed now—in my view, it should have been done then—can provide the clarity that is needed.
On a more general note, one of the key Cambridge organisations has pointed out to me that, in its view, it is quite hard to see the point of this Bill for organisations that are operating globally because, as the EU GDPR has extraterritorial effect, they are still going to need to meet those standards for much of what they do. It would simply be too complicated to try to apply different legal regimes to different situations and people. That is the basic problem with divergence: when organisations span multiple jurisdictions, taking back control is frankly meaningless. Effectively, it cedes control to others without having any influence—the worst of all worlds. That organisation also tells me that it has been led to believe by the Government, as I think was echoed in some of the introductory points, that any organisation wishing to carry on applying current legal standards will, by default, meet those in the new Bill. It is sceptical about that claim, and it would like some confirmation, because it rightly wonders how that can be the case when new concepts and requirements are introduced and existing ones amended.
There is much, much more that could be said, has been said and will be said by others, including genuine concerns about the weakening of rights around subject access requests and some of the protections around algorithmic unfairness. Those need to be tested and scrutinised in Committee; frankly, too much cannot just be left to ministerial judgment. Huge amounts of data are now held about all of us, and the suspicion is rightly held that decisions are sometimes made without our knowledge, decisions that can have a direct impact on our lives. I think we can all agree that data used well can be transformative and a power for good, but that absolutely relies on confidence and trust, which in turn requires a strong regulatory framework that engenders that trust. It feels to me like this Bill fails to meet some of those challenges. It needs to be strengthened and improved.
Robin Millar (Aberconwy) (Con)
It is a pleasure to follow the speech of the hon. Member for Cambridge (Daniel Zeichner), and in fact, I have enjoyed listening to the various contributions about the many aspects of the many-headed hydra that the data Bill represents. In particular, the point made by the hon. Member for Manchester Central (Lucy Powell) about interoperability and the one made by the hon. Member for Glasgow North West (Carol Monaghan) about hurdles are points I will be returning to briefly.
I welcome the fact that we have a Bill that focuses on data. Data is the new oil, as they say, and it is essential that we grapple with the implications of that. If there is need of an example, data was critical in our fight against covid-19. Data enabled the rapid processing of new universal credit applications. Data meant that we could target funds into business accounts quickly to make sure that furlough payments were made. Data gave us regular updates on infection rates, and data underpinned the research into vaccines, their rapid roll-out, and their reporting to the right people, at the right time and in the right place. We have also seen that data on all those matters was questioned at every step of the way then and continuously since.
Data matters. This Bill matters: it gives us an opportunity to redefine our regulatory approach, as the hon. Member for Cambridge alluded to. It also provides a clearer and more stable framework for appropriate international transfers of personal data—I stress the word “appropriate”. In addition, it is welcome that the Bill extends data-sharing powers, enabling the targeting of Government services to support business growth more effectively and deliver joined-up public services, which will be the thrust of my contribution. I also welcome the Bill’s delivery of important changes to our everyday lives. Whether it is an increase in financial penalties for those behind nuisance calls, addressing the number of cookie pop-ups on web browsers that we use every day, or providing a trusted framework for digital verification services, these are important updates in protecting everyday lives that are, in part, lived online now. That is to be welcomed—provided, again, that the necessary safeguards are in place.
I will give the bulk of my time to focusing on another area in which I think the Bill could go much further. The Bill recognises that, for public services to operate efficiently, safely and with effective scrutiny, data should be collected, presented, processed and shared in a consistent way, yet it is frustrating that the current scope of the Bill is for such information standards to apply in England only.
I am going to use health as an example to illustrate my point. In Aberconwy, we are experiencing severe, systematic failings in the delivery of health services across north Wales. The health board has been under special measures for six of the past eight years, and in their latest intervention, the Welsh Government have just sacked the non-executive members of the board. It therefore comes as little surprise that health is the No. 1 domestic concern for constituents across north Wales, or that my constituents put it into our plan for Aberconwy. This is not an exercise in point scoring, but in this Bill, I see an opportunity to help to tackle that problem. Wales is linked to the rest of the UK, historically and today, on an east-west axis for family, business, leisure and public services. Our health and social care services in north Wales rely on working and sharing information with colleagues in England—with hospitals in Chester, Stoke and Liverpool. However, sharing that data, which relies on the interoperability that the hon. Member for Manchester Central referred to, often presents an obstacle to care.
Of course, I recognise and respect that health is a devolved matter that is under the remit of the Welsh Government in Cardiff Bay, but one of the arguments made in favour of Welsh devolution 25 years ago was that it would enable learning from comparisons between different policy approaches across the UK, exposing underperformance as well as celebrating successes. In order to do so, though, we must have comparable and reliable data. If this sounds familiar, I made exactly that point in the debate on the Health and Care Bill back in November 2021. At that time, working with hon. Friends from across north Wales, we showed that we had overwhelming support from patients—they agreed that data must be shared. The healthcare professionals we spoke to also agreed that data needed to be shared. The IT experts we consulted with agreed that data must and could be shared, and the local administrators, community groups and civil servants we spoke to also told us that data needed to be shared. However, the reality is that currently, data in different parts of the UK is often not comparable, nor is the timing of its publication aligned.
Again, I have focused today on health as a pressing and urgent example of the need for sharing data, but these points apply across our public services. Indeed, my hon. Friend the Member for Loughborough (Jane Hunt) gave an excellent and powerful practical example of how data sharing within the police inadvertently introduces all sorts of unnecessary barriers. As much as I have spoken about health, these points apply equally to the education of our children, the wellbeing of our grandparents, skilling our workforce, levelling up our communities, ensuring fair and competitive environments for business across the UK, and more—not least the future of our environment.
I repeat: good data is essential for good services. I recognise the good work that is going on in the Office for National Statistics, with the helpful co-operation of devolved Administrations, but it is time and an opportunity for the Government to consider amending the Bill in Committee to mandate agreement on, and the collection and publication of, key UK-wide data for public services. That data should be timely, accessible and interoperable.
All Administrations will already hold data for the operation of public services, but comparability and interoperability will allow professionals and planners to assign resources and guide interventions where they are needed most. It will allow patients and users of public services to make informed decisions about where to be treated, where to live and where to seek those services. It will also allow politicians like me to be held to account when services fail. I do not believe that such an amendment would divide the House in compassion or in common sense.
In conclusion, I know our Prime Minister understands the importance of data. He seeks to put it at the heart of a modern, innovative, dynamic and thriving UK, but it must be good data that flows through our veins and to all parts of our nation if it is to animate us and make the UK a success. For that reason, we need to go further. We need to ensure data comparability and interoperability across all parts of the UK. I look forward to hearing the Minister’s closing remarks.
Layla Moran (Oxford West and Abingdon) (LD)
I start by echoing the well wishes to the Secretary of State on her imminent arrival. I am delighted to be here in my first outing as the Lib Dem spokesperson for science, innovation and technology, although in my mind I consider it as the spokesperson for proud geeks. I appreciate that is not a term everyone likes, but as a physics graduate and an MP for Oxford, where we have many fellow-minded geeks, I am proud to call myself that.
Much as this important Bill is geeky and technical—it sounds like it will be an interesting Bill Committee —it integrates into our whole lives. People have spoken about the potential and progress, and I agree to an extent with the comment from the hon. Member for Aberconwy (Robin Millar) about this being the new oil. However, in the context of climate change, there is a lesson for us there. Imagine that we knew then what we know now. We can already see that here. As new as some of these technologies are, and as new as some of these challenges may be, it does feel like, as legislators, we are constantly playing catch-up with this stuff.
We consult and we look, and we know what the problems are and what the issue fundamentally is, but I agree with the hon. Member for Cambridge (Daniel Zeichner) that we need a bit of vision here. I would argue that what we need is what my former colleague, the former Member for East Dunbartonshire, called for, which is a code of ethics for data and artificial intelligence. I sincerely hope that the Government, with the extra power to the elbow of the new Department, can put some real resource behind that—not in White Papers and thought, but in a proper bit of legislation that answers some of the questions raised earlier about the moral use, for example, of artificial intelligence in war.
Those are important questions. The problem and worry I have is that this Government and others will find themselves constantly on the back foot, unless we talk not just about the geekery and the technical bits—by the sounds of it, there are enough of us in the House who would enjoy doing that—but about the slightly loftier and more important ways that this Bill will connect with society.
In the digital first age, the Government themselves are encouraging those who want to access benefits and every other part of the state to do so digitally. If someone is to be a full citizen of the state, they are required often to give over their data. If someone does not want to engage with the digital realm, it is difficult for them to access the services to which they are entitled. Those are some of the big issues that encircle this Bill. It is fair to make that point on Second Reading, and I urge the Government, and especially the new Department, to give serious thought to how they will knit this all together, because it is incredibly important.
The Liberal Democrats have a few issues with the Bill. I associate myself with the remarks of the hon. Member for Bristol North West (Darren Jones), and in particular what he said in asking who is at the centre of the Bill, which is incredibly important. As liberals, we believe it should always be the citizen. Where there is a conflict of interest between the citizen, business and the state, in our view and in our political ideology, the citizen always comes top. I am not convinced that has been at the heart of the Bill at points. Citizens have been thought about, but were they at the centre of it at every stage? I am afraid that our ability as individuals to access, manipulate and decide who has our data has at various stages got lost.
The concerns we share with others are in four main areas: the Bill will undermine data rights; it will concentrate power with the Secretary of State—notwithstanding potential change in government, that is the sort of thing that Parliament needs to think about in the round, regardless of who is in power; the Bill will further complicate our relationship with Europe, as some have mentioned; and it sets a worrying precedent.
We need to understand where we start from. Only 30% of people in the UK trust that the Government use their data ethically. That means that 70% of people in the UK do not. Polls across the world have shown roughly the same thing. That is a huge level of mistrust, and we need to take it seriously. The Open Rights Group has described the Bill as part of a deregulatory race to the bottom, as the rights and safeguards of data subjects could be downgraded because of the changes proposed.
Clause 5 and schedule 1 to the Bill introduce a whole set of legitimate interests for processing data without consent and with few controls around their application. The Bill changes the definition of personal data, which would reduce the circumstances in which that information is protected. It reforms subject access requests, as others have said. We all run our own small businesses in our offices as MPs. We understand the burden placed on small businesses in particular, but it is absolutely the right of that individual to find out what is held on them in the way that subject access requests allow. If there is a conflict, it is the right of the individual that needs to be protected. The Government assess that the proposal would save about £82 a year—a price worth paying, given the number of consumers whom those businesses on average are looking after. There is an important hierarchy of user use that is not entirely captured by what the Government have been saying so far.
Big Brother Watch has said:
“The revised Data Protection and Digital Information Bill poses serious threats to Brits’ privacy. The Government are determined to tear up crucial privacy and data protection rights that protect the public from intrusive online surveillance and automated-decision making in high-risk areas. This bonfire of safeguards will allow all sorts of actors to harvest and exploit our data more than ever before. It is completely unacceptable to sacrifice the British public’s privacy and data protection rights on the false promise of convenience.”
I am deeply concerned that far from restoring confidence in data protection, the Bill sets a dangerous precedent for a future in which rights and safeguards are undermined. I have listened to what the Secretary of State has said at the Dispatch Box. I sincerely hope that those safeguards that the Government want to keep in place will remain in place, but we should be listening to those third-party groups that have scrutinised this Bill in some detail. There are legitimate concerns that need to be addressed.
My other concern is the concentration of power with the Secretary of State. As I have said before, while it would be lovely to think that all Secretaries of State and all Governments will all think the same on this and that we all have the same principles, my deep concern is that one day that will not happen. There is an important part for Parliament to play, especially when legislation is running behind what is happening in society, in raising the issues in real time. My worry is that by acting through secondary legislation, which we end up scrutinising less and less often, the Government do not have a mechanism for Parliament to feed in as society changes, which can be year-on-year. We need some way, whether through a Select Committee or whatever, to be able to keep pace with changes in society.
Finally, I want to talk about adequacy and in particular its loss being a real concern. I am pleased to hear that being raised on all sides in the House, which is a good sign, but I hope that this is not a case where little then gets changed in the Bill, as we have seen many times over. We could have it both ways: we can diverge from EU standards if we make the protection of the rights of the citizens stronger. Some who have mentioned divergence, however, have spoken about a weakening, which I worry will lead to a loss of adequacy.
In closing, will the Minister give a cast-iron guarantee to businesses that rely on it—and to our researchers who equally rely on it—that adequacy will not be watered down but will be one of the key tenets of how we move forward? Certainty for businesses and our researchers is incredibly important, and if there is any suggestion that changes in the Bill will affect that, they must be pulled immediately.
Jim Shannon (Strangford) (DUP)
It is a pleasure to add some comments and make a contribution, and also to have heard all the right hon. and hon. Members’ speeches as I have sat here tonight. There will not be any votes on the Bill, I understand, but if there had been, my party would have supported the Government, because I think the intention of the Minister and the Government is to try to find a correct way forward. I hope that some of the tweaking that is perhaps needed can happen in a positive way that can address such issues. It is always good to speak in any debate in this House, but this is the first one after the recess, and I am indeed very pleased to be a part of any debates in the House. I have spoken on data protection and its importance in the House before, and I again wish to make a contribution, specifically on medical records and protection of health data with regard to GP surgeries. I hope to address that with some questions for the Minister at the end.
Realistically, data protection is all around us. I know all too well from my constituency office that there are guidelines. There are procedures that my staff and I must follow, and we do follow them very stringently. It is important that businesses, offices, healthcare facilities and so on are aware of the guidelines they must follow, hence the necessity of this Bill. As I have said, if there had been a vote, we would have supported the Government, but it seems that that will not be the case tonight. Data exposure means the full potential for it to fall into the wrong hands, posing dangers to people and organisations, so it is great to be here to discuss how we can prevent that, with the Government presenting the legislation tonight and taking it through Committee when the time comes.
I have recently had some issues with data protection—this is a classic example of how mistakes can happen and how important data can end up in the wrong place—when in two instances the Independent Parliamentary Standards Authority accidentally published personal information about me and my staff online. It did not do it on purpose—it was an accident, and it did retrieve the data very quickly—but it has happened on two occasions at a time of severe threat in Northern Ireland and a level of threat on the mainland as well. Although the matter was quickly resolved, it is a classic example of the dangers posed to individuals.
I am sure Members are aware that the threat level in Northern Ireland has been increased. Despite there being external out-of-office security for Members, I have recently installed CCTV cameras in my office for the security of my staff, which, though not as great in comparison, is my responsibility. I have younger staff members in their 20s who live on their own, and staff who are parents of young children, and they deserve to know that they are safe. Anxieties have been raised because of the data disclosure, and I imagine that many others have experienced something similar.
I want to focus on issues about health. Ahead of this debate, I have been in touch with the British Medical Association, which raised completely valid concerns with me about the protection of health data. I have a number of questions to ask the Minister, if I may. The BMA’s understanding of the Bill is that the Secretary of State or the Minister will have significant discretionary powers to transfer large quantities of health information to third countries with minimal consultation or transparent assessment about how the information will benefit the UK. That is particularly worrying for me, and it should be worrying for everyone in this House. I am sure the Minister will give us some clarification and some reassurance, if that is possible, or tell us that this will not happen.
There is also concern about the Secretary of State having the power to transfer the same UK patients’ health data to a third country if it is thought that that would benefit the UK’s economic interests. I would be very disturbed, and quite annoyed and angry, that such a direction should be allowed. Again, the Minister may wish to comment on that at the end of the debate. I would be grateful if the Minister and his Department provided some clarity for the BMA about what the consultation process will be if information is to be shared with third-party countries or organisations.
There have also been concerns about whether large tech and social media companies are storing data correctly and upholding individuals’ rights or privacy correctly. We must always represent our constituents, and the Bill must ensure that the onus of care is placed on tech companies and organisations to legally store data safely and correctly. The safety and protection of data is paramount. We could not possibly vote for a Bill that undermined trust, furthered economic instability and eroded fundamental rights. Safeguards must be in place to protect people’s privacy, and that starts in the House today with this Bill. Can the Minister assure me and the BMA that our data will be protected and not shared willy-nilly with Tom, Dick and Harry? As I have said, protection is paramount, and we need to have it in place.
To conclude, we have heard numerous stories both from our constituents and in this place about the risks of ill-stored and unprotected data. The Bill must aim to retain high data protection standards without creating unnecessary barriers for individuals and businesses. I hope that the Minister and his Department can answer the questions we may have to ensure that the UK can be a frontrunner in safe and efficient data protection. We all want that goal. Let us make sure we go in the right direction to achieve it.
Stephanie Peacock (Barnsley East) (Lab)
I would like to add my best wishes to the Minister and the Secretary of State on their imminent arrivals.
We are in the midst of a tech revolution, and right at the centre of this is data. From social media and online shopping to the digitisation of public services, the rate at which data is being collected, processed and shared is multiplying by the minute. This new wealth of data holds great potential for innovation, boosting economic growth and improving the delivery of public services. The aims of the Bill to unlock the economic and societal benefits of data while ensuring strong, future-proofed privacy rights are therefore ones that we support. We welcome, for example, provisions to modernise the ICO structure, and we support provisions for the new smart data regimes, so long as there are clear requirements for impact assessments.
However, the Bill in its current form does not go far enough in actually achieving its aims. Its narrow approach and lack of clarity render it a missed opportunity to implement a truly innovative and progressive data regime. Indeed, in its current form many clarifications will be needed to reassure the public that their rights will not be weakened by the Bill while sweeping powers are awarded to the Secretary of State. Currently, solely automated processing is defined by the Bill as one having “no meaningful human involvement” that results in a “significant decision”, with the Secretary of State trusted with powers to amend what counts within this definition. The lack of detail on the boundaries of such definitions as well as their ability to change over time have concerned the likes of the Ada Lovelace Institute and the TUC.
The Chair of the Business, Energy and Industrial Strategy Committee, my hon. Friend the Member for Bristol North West (Darren Jones), outlined in his powerful speech the power imbalance between big tech and the people, which is an important insight and a challenge for us in this House. Indeed, just this month Uber was found to have violated the rights of three UK-based drivers by firing them without appeal on the basis of fraudulent activity picked up by its automated decision-making system. In its judgment, the court found that the limited human intervention in Uber’s automated decision process was not
“much more than a purely symbolic act”.
This case and the justice the drivers received therefore explicitly relied on current legislation in the form of article 22 of the UK GDPR, and a clear understanding of what constitutes meaningful human involvement. Without providing clear boundaries for defining significant decisions and meaningful human involvement, this Bill therefore risks removing the exact rights that won this case and creating an environment where vital safeguards, such as the right to contest automated decisions and request human intervention, could easily become exempt from applying at the whim of the Secretary of State. This must be resolved, and the public must be reassured that they will not be denied a job, mortgage or visa by an algorithm without a method of redress.
There is also a lack of clarity around how rules allowing organisations to charge a fee or refuse subject access requests deemed “vexatious” and “excessive” will work, as the likes of Which? and the Public Law Project have argued and which my hon. Friend the Member for Cambridge (Daniel Zeichner) highlighted. Indeed, if the list of circumstances where these terms might be met is non-exhaustive, what safeguards will be in place to stop controllers from abusing this, deciding that any request they dislike is vexatious? Organisations should absolutely be supported in directing resources to good faith requests, but we must be careful to ensure that any new limits are protected against abuse.
Reform of the responsibilities of the Information Commissioner’s Office is another area in need of analysis. Indeed, more than evolving its structure, the Bill gives the Secretary of State power to set the strategic priorities of the regulator and approve codes of practice. This has sparked concern across the spectrum of stakeholders, from the Open Rights Group to techUK, over what it means for the regulator’s independence. Given these new powers, particularly in cases where guidance addresses the activity of the Government, how can Ministers assure us that a Secretary of State will not be marking their own homework?
Whether it is the Secretary of State being able to amend the “recognised legitimate interests” list or the removal of the requirement for consultation on impact assessment, this same theme is echoed throughout the Bill, which was raised by the hon. Member for Oxford West and Abingdon (Layla Moran). Without additional guidance and clear examples of how definitions apply, it is hard to grasp the full extent of the consequences of these new measures, especially given the sweeping powers of the Secretary of State to make further changes. We will look to ensure that this clarity is included in the Bill, so that everyone can be assured of their rights and of a truly independent regulator. We must also ensure that children are protected by the Bill and that the age-appropriate design code is not compromised, as raised by the hon. Member for Folkestone and Hythe (Damian Collins) and others across the House.
Clarity on the new regime is also vital for reassuring businesses who still have fears around losing EU adequacy, something raised throughout this debate and which the former Secretary of State the right hon. Member for Maldon (Sir John Whittingdale) outlined in his contribution. The Government have said that they recognise that losing adequacy would be disastrous, costing up to £460 million as a one-off and £410 million every year afterwards. Ministers have rightly rowed back on many of the more concerning suggestions from their consultation, but they must be absolutely clear on how they are sure that the measures in the Bill, particularly those that toy with the regulator’s independence and give Ministers power to create further change, will not threaten adequacy.
Having already made significant adjustments to comply with UK GDPR, the changes in the Bill must also be careful not to create further uncertainty for businesses. Indeed, although Ministers say that anyone who abides by the current rules will still be compliant after the passing of the Bill, organisations will still have to do their own legal due diligence to understand how, if at all, this set of amendments impacts them. It would therefore be good to hear from Ministers on how they plan to ensure that businesses, particularly small and medium-sized enterprises, are supported in understanding the requirements on them.
We understand the Government’s attempts to future-proof this legislation, and it would be great to see an end to constant cookie banners or nuisance calls, which the hon. Member for Aberconwy (Robin Millar) referenced, but the measures in the Bill rely on technology that does not currently operationally exist. In the case of browser-enabled cookie models, there is also the concern that this may entrench power in the hands of existing tech giants and muddy the waters on liability. We must be careful, therefore, to ensure that businesses can actually implement what the Bill requires.
Ultimately, with the exception of the section on smart data, this Bill chooses to take a very narrow view of what an innovative data regime could look like. In the context of a rapidly changing world, this Bill was a great opportunity to really consider how we can get data working in better interests, like those of the general public or small businesses. Labour would have used a Bill like this to, for example, examine how data can empower communities and collective groups such as workers in industries who have long felt that they have been on the wrong end of automated decision-making as well as the automation of jobs.
We would also have sought to improve public trust and understanding in how our data is used, particularly since the willingness to share data has been eroded after the likes of the Cambridge Analytica scandal, the NHS data opt-out, and the exam algorithm scandal, which disproportionately affected my constituents in Barnsley. As it stands, however, the Bill seems only to consider data rights when they emerge as a side product of making changes to rules for processors. Data rights and data protection have wide-ranging consequences across society, as the hon. Member for Strangford (Jim Shannon) discussed. Labour would have used this as an opportunity to look at the larger picture of data ownership. Deregulation measures such as those in the Bill might mean less work for some small businesses, but as long as a disproportionate amount of data is held by a limited number of firms, they will still be at a large competitive disadvantage. From introducing methods of collective redress to nurturing privacy-enhancing technologies, there are many positive opportunities a progressive data Bill could have explored to put our country at the forefront of innovation while genuinely strengthening rights and trust for the modern era, but the Government have missed this opportunity.
Overall, we can all agree on unlocking innovation through data while ensuring data subjects have the rights and trust they fundamentally deserve. However, there are many areas for clarity and improvement if this Bill is to match the bold vision required to truly be at the forefront of data use and data protection. I look forward to working closely with Ministers in the coming months towards legislation that better fulfils these aims.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Paul Scully)
I thank all Members for their contributions, including the hon. Members for Manchester Central (Lucy Powell), for Glasgow North West (Carol Monaghan), for Bristol North West (Darren Jones), for Cambridge (Daniel Zeichner), for Oxford West and Abingdon (Layla Moran), for Strangford (Jim Shannon) and for Barnsley East (Stephanie Peacock) and my right hon. Friend the Member for Maldon (Sir John Whittingdale) and my hon. Friends the Members for Folkestone and Hythe (Damian Collins), for Loughborough (Jane Hunt) and for Aberconwy (Robin Millar). The debate has been held in the right spirit, understanding the importance of data, and I will try to go through a number of the issues raised.
Adequacy has come up on a number of occasions. We have been straight from the beginning that adequacy is very important and we work with the EU Commission on this; we speak to it on a regular basis, but it is important to note that the EU does not require exactly the same rules to be in place to be adequate. We can see that from Japan and from New Zealand, so we are trying to get the balance right and making sure that we remain adequate not just with the EU but with other countries with which we want to have data bridges and collaboration. We are also making sure that we can strip back some of the bureaucracy not just for small businesses, but for public services including GPs, schools and similar institutions, as well as protecting the consumer, which must always be central.
Automated decision-making was also raised by a number of Members. The absence of meaningful human intervention in solely automated decisions, along with opacity in how those decisions can be reached, will be mitigated by providing data subjects with the opportunity to make representations about, and ultimately challenge, decisions of this nature that are unexpected or seem unwarranted. For example, if a person is denied a loan or access to a product or services because a solely automated decision-making process has identified a high risk of fraud or irregularities in their finances, that individual should be able to contest that decision and seek human review. If that decision is found to be unwarranted on review, the controller must re-evaluate the case and issue an appropriate decision.
Our reforms are addressing the uncertainty over the applications of safeguards. They will clarify when safeguards apply to ensure that they are available in appropriate circumstances. We will develop that with businesses and other organisations in guidance.
The hon. Member for Glasgow North West talked about joint-working designation notices and it is important to note that the police and intelligence services are working off different data regimes and that can make joint-working more difficult. Many of the changes made in this Bill have come from learning from the Fishmongers’ Hall terrorist incident and the Manchester Arena bombing.
Members raised the question of algorithmic bias. We agree that it is important that organisations are aware of potential biases in data sets and algorithms and bias monitoring and correction can involve the use of personal data. As we set out in our response to the consultation on the Bill, we plan to introduce a statutory instrument that will provide for the monitoring and correction of bias in AI systems by allowing the processing of sensitive personal data for this purpose with appropriate safeguards. However, as we know from the AI White Paper we published recently, this is a changing area so it is important that we remain able to flex in Government in the context of AI and that type of decision-making.
The hon. Member for Bristol North West talked about biometrics. That is classed as sensitive data under the UK GDPR, so is already provided with additional protection. It can only be processed if a relevant condition is met under article 9 or schedule 1 of the Data Protection Act. That requirement provides sufficient safeguards for biometric data. There are significant overlaps in the current oversight framework, which is confusing for the police and the public, and it inhibits innovation. That is why the Bill simplifies the oversight for biometrics and overt surveillance technologies.
The hon. Gentleman talked about age-appropriate guidance. We are committed to protecting children and young people online. The Bill maintains the high standards of data protection that our citizens expect and organisations will still have to abide by our age-appropriate design code. Any breach of our data protection laws will result in enforcement action by the Information Commissioner’s Office.
The hon. Gentleman also talked about data portability. The Bill increases data portability by setting up smart data regulations. He talked about social media, but it is far wider than that. Smart data is the secure sharing of customer data with authorised third parties on the customer’s request. Those third parties can then use that data to provide innovative services for the consumer or business user, utilising AI and data-driven insights to empower customer choice. Services may include clear account management across services, easier switching between offers or providers, and advice on how to save money. Open banking is an obvious live example of that, but the Bill, with the smart data changes within it, will turbocharge the use of this matter.
My hon. Friend the Member for Loughborough talked about policing. It will save 1.5 million police hours, but it is really important that we do more. We are looking at ways of easing redaction burdens for the police while ensuring we maintain victim and witness confidence. It is really important to them, and in the interests of public trust, that the police do not share information not relevant to a case with other organisations, including the Crown Prosecution Service and the defence. Removing information, as my hon. Friend says, places a resource burden on officers. We will continue to work with the police and the Home Office on that basis.
On UK-wide data standards, raised by my hon. Friend the Member for Aberconwy, improving access to comparable data and evidence from across the UK is a crucial part of the Government’s work to strengthen the Union. The UK Government and the Office for National Statistics have an ongoing and wide-ranging work programme to increase coherency of data across the nations, as my hon. Friend is aware. We remain engaged in discussions and will continue to work with him, the Wales Office and the ONS to ensure that we can continue.
On international data transfer, it is important that we tackle the uncertainties and instabilities in the current regime, but the hon. Member for Strangford is absolutely right that in doing that, we must maintain public trust in the transfer system.
Finally, on the ICO, we believe that the Bill does not undercut its independence. It is really important that, for the trust issues I have talked about, we retain its independence. It is not about Government control over an independent regulator and it is not about a Government trying to exert influence or pressure for what are deemed to be more favourable outcomes. We are committed to the ICO’s ongoing independence and that is why we have worked closely with the ICO. The Information Commissioner himself is in favour of the changes we are making. He has spoken approvingly about them.
This is a really important Bill, because it will enable greater innovation while keeping personal protections to keep people’s data safe.
Question put and agreed to.
Bill accordingly read a Second time.
Data Protection and Digital Information (No. 2) Bill (Programme)
Motion made, and Question put forthwith (Standing Order No. 83A(7)),
That the following provisions shall apply to the Data Protection and Digital Information (No. 2) Bill:
Committal
(1) The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Tuesday 13 June 2023.
(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Consideration and Third Reading
(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.
(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.—(Joy Morrissey.)
Question agreed to.
Data Protection and Digital Information (No. 2) Bill (Money)
King’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Data Protection and Digital Information (No. 2) Bill, it is expedient to authorise the payment out of money provided by Parliament of—
(a) any expenditure incurred under or by virtue of the Act by the Secretary of State, the Treasury or a government department, and
(b) any increase attributable to the Act in the sums payable under any other Act out of money so provided.—(Joy Morrissey.)
Question agreed to.
Data Protection and Digital Information (No. 2) Bill (Ways and Means)
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Data Protection and Digital Information (No. 2) Bill, it is expedient to authorise:
(1) the charging of fees or levies under or by virtue of the Act; and
(2) the payment of sums into the Consolidated Fund.—(Joy Morrissey.)
Question agreed to.
Data Protection and Digital Information (No. 2) Bill (Carry-over)
Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)).
That if, at the conclusion of this Session of Parliament, proceedings on the Data Protection and Digital Information (No. 2) Bill have not been completed, they shall be resumed in the next Session.—(Joy Morrissey.)
Question agreed to.