Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

I declare my interest, as set out in the Register of Members’ Financial Interests.

I am sure the Minister will want to encourage the increasing number of her colleagues who have their own budding leadership WhatsApp groups to update their app. My hon. Friend the Member for West Bromwich East (Tom Watson) made an important point that this is not only about encryption but about the connection between devices and the transition from the old copper cables to the VoIP system of broadband connectivity. This is a question for Ofcom, not the ICO, so what conversations is the Minister having with Ofcom about the security standards for connections over the internet-based communications network?

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

It is a pleasure to serve under your chairmanship, Mr Evans. I declare my interest, which is in the Register of Members’ Financial Interests. I am a member of the European Scrutiny Committee and of the Select Committee on Science and Technology, which both have an interest in this area. I apologise on behalf of my many colleagues who were not able to join us today.

The exchange of personal data between the UK and the EU is vital for current business, the functioning of public services, security and policing, and future trade. Whether it is used by innovative, cutting-edge new businesses or modernising old industries, data is at the heart of revolutionising the way we work and the way we live our daily lives. Data is becoming so pervasive that this issue affects both our constituents and the organisations we often refer to in such debates. The General Data Protection Regulation has brought data protection to the minds of many people who may not previously have spent much time thinking about it, and data breaches by big-name companies, digital or otherwise, keep the issue in the headlines. That is why we are having this important debate.

Although the European Scrutiny Committee thanks the Government for agreeing to schedule the debate, we are disappointed that it is not on the Floor of the House as we requested, particularly as a wide range of Select Committee Members, who unfortunately could not be here, have an interest in the topic. I hope the debate sheds light on the Government’s position on personal data flows in three different Brexit scenarios and in the post-Brexit world—if, as I keep saying, Brexit actually happens.

First, how will personal data transferred from the EU to the UK during a transition period be treated after that period? I understand that is one of the so-called separation issues to be dealt with under the withdrawal agreement—specifically article 67 of that agreement, which states that personal data needs to be processed in accordance with European Union law during any transition period, and thereafter in respect of what happens in the agreement. Will the Minister for Digital and the Creative Industries update us on the negotiations with the European Union about how safeguards will be put in place during a transition period and, in respect of data flows within such a period, under a new regime when it comes to an end? We were reassured by the Brexit Secretary both on the Floor of the House and in the Select Committee that there has been real progress in that area, so a general update would be welcome.

Secondly, what happens if a withdrawal agreement is not ratified before the UK’s exit on 29 March 2019? The Government recognise in their no deal guidance that there is not yet an agreed timetable for putting an adequacy decision in place in the event of no deal. Leaving with no deal would mean leaving with no data-sharing agreement. Without an adequacy decision, data could continue to be transferred only on the basis of alternative safeguards set out under GDPR—namely, standard contractual clauses for businesses and organisations. Will the Minister therefore set out what assessment her Department has made of the feasibility and cost to business of having to comply with such alternative safeguards in the case of a no deal Brexit? What is her view of the pending European Court of Justice case on the validity of standard contractual clauses, Data Protection Commissioner v. Facebook Ireland Ltd and others—the Schrems II case—in respect of the Government’s no deal advice?

Thirdly, for the post-Brexit world, the Government have repeatedly said on the Floor of the House that they seek to achieve a data-sharing agreement that goes beyond adequacy. There was some debate about whether that might be the basis of an agreement between the UK and the EU or reliant on the adequacy decision, which is of course unilaterally made by the European Commission. While we have debated that on a few occasions, I am still not clear about the Government’s preferred method, although I note that in the motion the adequacy unilateral decision is the “starting point”. Will the Minister set out today whether any enhanced arrangement beyond adequacy is realistic given the state of the Brexit negotiations, and what the position is on the UK’s proposal for a beyond adequacy agreement? Will she comment on the Government’s response to the Exiting the European Union Committee’s report on data, which suggests that enhanced adequacy involves some form of participation of the UK in EU data bodies and/or in a one-stop shop, which would involve an agreement to allow the relevant European Court jurisdiction and/or jurisprudence?

Finally, on future trade, does the Minister for Trade Policy envisage future trade deals including constituent or adjacent horizontal clauses on data sharing, to align with European standards in third-country trade deals? Will he confirm whether the clauses try simply to tackle data-sharing non-tariff barriers, or if they are envisaged to have an additional effect that could assist the UK in maintaining data-sharing safeguards with the European Union? Lastly, if possible, will he update the Committee as to the status of any proposed EU-UK agreement at treaty level, and what if any lessons have been learned from, for example, the EU-Japan free trade agreement?

I add on behalf of the European Scrutiny Committee that we still await a response to the questions posed on this topic in our report of 12 September. I am sure that the Ministers will take the opportunity today to answer any more general questions but, if not, I look forward to a commitment that we will receive that response in due course.

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

It is my absolute pleasure to serve under your chairpersonship today, Ms McDonagh. I congratulate the hon. Member for St Albans (Mrs Main) on securing this debate. I declare my interest, as set out in the Register of Members’ Financial Interests.

The United Kingdom punches above its weight in the global digital marketplace, with £170 billon of turnover and £7 billion of tech investment—twice the amount of any other country in the European Union. However, as we have heard, this is not just about profits; it is also about good-quality jobs, with the average advertised salary for a digital job 44% higher than for a non-digital average. That benefit is shared by an enormous 1.6 million workers in the UK’s digital sector, and it is a benefit shared by those seeking work, either young people or those in retraining, to get access to higher pay and higher quality jobs.

Such jobs are good, but much more needs to be done both on gender equality and class inequality in the technology and digital sectors, with many start-up businesses pioneered by those with the safety net of a family who can provide for them when inevitable failures occur. I do not criticise them for having that safety net, but the stark reality in my constituency of Bristol North West is that I have some of the most affluent and some of the most economically deprived suburbs in the city right next door to each other. Many of the young people have fantastic ideas but are not confident enough to take on the risk to try them. We need to try to find solutions to ensure that there is an equality of access to the opportunities and excitement of the digital market.

As we have seen recently, there are still gender inequality issues in some aspects of the technology and digital marketplace, so gender bias is as important an issue in this space as it is in others. I absolutely agree with the comments made today about the digital skills needed for young people. It is also important to show why the basics around science, maths and English can lead to such exciting jobs so that young people can see what they are aiming for and understand why getting that maths GCSE, which they might find slightly boring at the time, is a really exciting route through to some fantastic jobs. It is also about reskilling. An example that I gave in the House in the debate on autonomous vehicles was about when all of our taxis become driverless taxis and we have a load of taxi drivers who will need to find new work. This is not just about young people; it is about reskilling older people to access the marketplace.

On the whole, the Bristol and Bath region does really well. We have £8 billion of digital turnover. We had 87% growth from 2011 to 2015, which now accounts for 35,000 jobs in our region in the west of England. That is an enormous part of our economy. I will take this opportunity to pay tribute to the likes of the Engine Shed, TechSPARK, Business West and others in Bristol who have been pioneering for many years.

One key aspect of driving the regional presence is access to finance. That has been one of our problems in Bristol, which it has been getting better at. However, start-ups that want to scale up and get financial backing through serious funding and other avenues still need to come and have a presence in London. The networking that they need to do is in London. The people who have done this and know how to do it are in London. In my view, we need Government action to take that knowledge and experience out to the regions so that companies are able not only to start up in incubator spaces, but to scale up their businesses in the region.

That is why our industrial strategy is important, and why significant efforts should be made not just in relation to the vast productivity gains that digitisation can make, and not just in the digital economy, but in standard industries and public services. There is also a need to continue to push the benefit out to the regions, creating incentives and environments that allow digital businesses to start and be staffed. Opportunities to work in those businesses are important, given the skills deficit outside London and the major conurbations. That cannot just mean DFLs—“down from Londons.” Bristol is pleased to welcome, on average, 80 families a week from London. It causes a bit of an issue with house prices, but apart from that they are very welcome. But we must remember that young people born and raised in Bristol, and especially in Bristol North West, need access to those jobs too.

There is no denying that London benefits from being the digital capital of Europe. That position is put at risk by the Government’s approach to Brexit. Our access to talent from across the European Union, the attractiveness of London and other parts of England as a place to call home, our access to capital through our dominance in financial services, and the regulatory harmony and access to the European single market that come with being able to sell digital goods and services to one of the largest trading blocs in the world, are all potentially being thrown to the wind by the Brexit strategy, which is a great shame. The digital single market that the European Union is pushing is part of that situation. It will take time to resolve, but it will be a lost opportunity if we do not have access to it, through at least maintaining our position in the single market and customs union.

On the disagreeable basis that we leave the European Union entirely, we must turn our minds to maintaining Britain’s digital strength in a global digital marketplace post Brexit. In many other areas of industry, such as law, which was my profession before I became a politician, Britain has a reputation around the world for playing a fair game, with clear rules and enforcement. That is a British brand that is trusted and reliable. Britain is renowned as a country that people want to come to in order to do business and reduce risk—and, as I said, to get access to the European Union. We should seek to build that recognition in our digital marketplace too. Our historic geopolitical position between the United States and the European Union will be relevant to the digital market. As we have seen from the Senate hearings on Cambridge Analytica and Facebook, United States legislators are now looking to the European Union to see how to regulate technology and digital business.

That is an area where British MEPs and British commissioners and staff have played an important role in defining such things as the general data protection regulation, the network and information security directive, and components of the digital single market. In building that trusted global brand as the best country in which to start and run digital businesses, we now need to be much clearer about how we will apply the old rules in the new, modern digital world—how we will protect consumers who are buying goods and services that are digital.

We have made good progress, in the Consumer Rights Act 2015 and the implementation of European legislation such as the digital content directive, but there is more to do, not least with respect to making citizens and consumers aware of what is happening, and their rights, and how we regulate dominant companies in uncompetitive marketplaces. In the old world of utilities there are regulators to ensure consumer fairness. In the new world of the ownership and control of data Ofcom plays an enforcement role, but what is the competition role in that space? That is something we need to talk about more. We also need to deal with how we guarantee old civil liberties in a modern setting, including the role of the state and public services, the use of big data, and ensuring the cyber-security that we have heard about today.

That is why yesterday I was thrilled to kick off a scoping event, here at the House of Commons, on a new parliamentary commission on technology ethics, building on the work of colleagues in the other place—the report of the Lords Select Committee on Artificial Intelligence came out this week and it is very good. The Minister’s new data ethics body in the Department for Digital, Culture, Media and Sport is excitedly anticipated. Also there are issues such as the control, security and monetisation—with patient consent—of assets such as NHS data sets, as identified by Sir John Bell in the life sciences industrial strategy as new ways of funding public services.

Working with the hon. Member for North East Derbyshire (Lee Rowley), my Conservative co-chair of the all-party parliamentary group on data analytics—the parliamentary internet, communications and technology forum—and others, we shall engage with all stakeholders externally, and with the Minister and her Department, to create an environment in the United Kingdom that is good for digital businesses and consumers in the digital world, and hopefully a beacon for best practice around the world. There is a balance to get right, between the vast opportunities that come with driverless vehicles, the internet of things and digital public services, and the risks. It will be important to build trust with consumers and citizens, partners around the world, and businesses, to create a digital economy in the UK that we can all be proud of.

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

I welcome new schedule 1, in the name of my right hon. Friend the Member for Birmingham, Hodge Hill and my hon. Friends the Members for Ogmore and for Sheffield, Heeley. I should declare that I was first on Facebook as a 19-year-old. Now, as a 31-year-old, I can declare that I do not think there is anything on there that I am embarrassed of.

Darren Jones

- Hansard -

Copy Link

-

I reserve the right for other hon. Friends to remove content from their social media.

I wanted to refer to the issue of data ownership. When we think of the world in terms of things that we own, there are legal bases for that ownership. We have a legal right to the houses that we buy, once the mortgage has been paid off, and we have a legal right to the clothes that we buy. However, we have no legal right to the ownership of the data about us or the data that we generate. In the context of people making money off the back of it, that feels fundamentally incorrect.

Even the language that we use suggests that the relationship is not balanced. The idea that Facebook is my data controller, and that I am merely its data subject, suggests that the tone of the conversation is incorrect. I support the fundamental principle of ownership, because I think that we need to have a much more fundamental debate about who owns this stuff. Why are people making money off the back of it? If they do things with our property that is against the law, or that incurs us a loss, we should have the right to enforce that principle.

We have seen that not just in the context of the personal data that we might create about the things we like to buy or the TV programmes we like to watch. Sir John Bell, in the report “Life sciences: industrial strategy”, talked about the value of NHS data. We are in a unique position in the world, because of our socialist healthcare system, where we have data for individuals in a large population across many years. That is extremely valuable to organisations and others. We on the Science and Technology Committee are doing reports at the moment on genomics data in the health service and on the regulation of algorithms. I recommend those reports, when they are published, to Members of the Bill Committee.

We need to try to avoid allowing, for example, health companies—I will not name any particular ones—to come into this country, access the data of NHS patients, build and train algorithms, and then take those algorithms to other parts of the world and make enormous profits off the back of them. But for the data that belongs to the British people, those businesses would not be able to make those profits.

Darren Jones

- Hansard -

Copy Link

-

Then you agree with hon. Members on both sides of the Committee, Mr Streeter. Of course we do, but as we have seen this week with the Cambridge Analytica scandal, rules must be set, and there must be a balance between allowing innovation to flourish and people’s rights not to be harmed in the process.

Darren Jones

- Hansard -

Copy Link

-

I agree—that is why I welcome the Bill. I am saying that we ought to go further, which is why I support the new schedule, and having conversations about ownership.

Returning to the issue of health data, I have personal views about how we might tax revenues from platforms in a better way. I welcome the comments made by the Chancellor of the Exchequer, in line with his counterparts in Europe, about looking at how we tax revenues where they are made, not where the company is headquartered. That is a positive move, but surely if all this NHS data is creating profits for other companies and organisations, we can create a situation in which patients also benefit from that, by sharing in the profits that are made and by seeing value redirected into the health service.

All that becomes anchored in the question of ownership. There is still this legal space that says that data subjects do not own their own data. We need a much broader debate on that. [Interruption.] Members are shaking their heads. I am happy to take interventions, if Members would like.

Darren Jones

- Hansard -

Copy Link

-

I agree entirely. I confess I never got all the way through my version of Piketty, but the idea of value through assets, as opposed to through the stagnating wages in our economy today, plays into this conversation around data. People from poorer backgrounds may not inherit houses or land, but they create their own data every day. It is an asset that should belong to them. They should be able to share in its value when companies around the world are making enormous profits off the back of it. In this digital age, there is a huge call for equality of opportunity and equality of access. We need to try to get those right in these fundamental understandings of the digital market and the rights that exist around it.

Lastly, I encourage and strengthen my right hon. Friend’s arguments on the application of these principles to children. The Committee has already debated how parental consent is not needed after the age of 13. One of my early jobs as legal counsel at BT was the dubious task of consolidating terms and conditions. Hon. Members who are no doubt happy customers of BT, with perhaps broadband, TV and sport, would originally have had to read five or six different documents that were very long and complicated. I had to consolidate those. That was not good enough, so I commissioned a YouTube star to do a video, which can be seen on the terms and conditions page, to try to explain some of these things. Even for adults, this was a really hard and laborious task.

I am not saying that it is for Government to tell businesses how to communicate to children. Second Reading and some of the Committee’s debates show—dare I say it—that we are probably not best placed to have those conversations. However, it is really important that there is an expectation on businesses that they take steps to ensure that children are properly engaged and really understand what they are signing up to, especially as the Government have opted to go to the minimum age range for consent, going to 13.

I just wanted to re-emphasise the debate on ownership and on children. I support my right hon. Friend’s new schedule and new clauses, and I hope the Government will support them.

Darren Jones

- Hansard -

Copy Link

-

It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter. I want to pursue the debate on the re-identification of de-identified personal data because, as the Minister pointed out, under the general data protection regulation, the idea of pseudonymised data comes into the law for the first time. For example, if my name, as my personal data, is turned into #365, it has been pseudonymised, and the question is whether #365 can be unlocked to identify the name “Darren Jones”. Pseudonymising is distinct from anonymising, which cannot be unlocked.

The question has come up a lot in the Select Committee on Science and Technology, in various contexts. I had a conversation with the Minister and her officials in the Select Committee about one scenario—the use of genetic data in the health service, where lots of data from individuals is pooled together for the purpose of learning about trends. It may be re-applied to the individual in the delivery of care. Another example might involve Facebook clients being able to upload customer lists on to the Facebook advertising profile. Each name would be hashed—pseudonymised—but ultimately targeted advertising could be pushed through to the individual’s profile.

Both those scenarios raise a policy question about the end of the process, when it comes back to the individual—the information has been personally identifiable, then is pseudonymised in a pooled way, and is then re-identified. Will those issues give rise to an offence under the part of the Bill that we are considering, and should consent be different, with the potential for pseudonymised data to be re-identified made clear to the end user? The reason I have not tabled any amendments to deal with the point is that I do not know the answer, but I should welcome the Minister’s views, and perhaps a commitment to have a conversation either with the Information Commissioner or the new data and artificial intelligence ethics unit about different types of consent where data is pseudonymised and then re-identified, either for health purposes or targeted advertising.

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

I beg to move amendment 151, in clause 177, page 102, line 13, at end insert—

“(4) Notwithstanding any provision in section 6 of the European Union (Withdrawal) Act 2018, a court or tribunal shall have regard to decisions made by the European Court after exit day so far as they relate to any provision under this Act.”.

For fear of sounding like a broken record, my arguments in favour of the amendment are broadly similar to those for amendment 152—in seeking to assist the Government in our shared aim of getting a decision of adequacy with the European Commission, it would be helpful to set out in the Bill our commitment to tracking and implementing European jurisprudence in the area of data protection. Members will remember that amendment 152 dealt with the European data protection board. Amendment 151 makes the same argument, but in respect of the European Court.

I appreciate that there may be some political challenges in stating the aim that the UK will mirror the European Court’s jurisdiction, but the reality is that developing European data protection law, either directly from the courts or through the European data protection board, will in essence come from the application of European law at the European Court of Justice. The amendment does not seek to cause political problems for the Government, but merely says that we ought to have regard to European case law in UK courts, in order to provide the obligation to our learned friends in the judiciary to have regard to European legal decision making and debates in applying European-derived law in the United Kingdom. This short amendment seeks merely to put that into the Bill, to assist the Government in their negotiations on adequacy with the European Commission.

Darren Jones

- Hansard -

Copy Link

-

The Minister gave a full answer, largely in agreement with the points I made.

Darren Jones

- Hansard -

Copy Link

-

I agree. I would therefore invite the Government to reconsider their position and support the amendment, because it reflects what is in the EU (Withdrawal) Bill, it talks about having regard to ECJ jurisprudence in future and, as the Minister pointed out, Government policy and the Government’s intention are that we are going to end up in that position anyway. By putting that in the Bill, we would put it into law and give a very clear signal to our colleagues in the European Union that that is our intention and we will stand by it.

The Minister’s arguments do not seem to stack up. If I were saying in the amendment that we must apply ECJ case law directly and that the UK courts had no power to disregard EU jurisprudence I would probably agree, but that is not what it seeks to do. I am not convinced it goes beyond the Government’s policy position nor what is said in the EU (Withdrawal) Bill. I merely seek to help the Government by making this simple amendment to the Bill. With your permission, Mr Streeter, I will push it to a vote.

Question put, That the amendment be made.

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

In the Data Protection Public Bill Committee last week, the Government rejected Opposition amendments that would give full effect to the European requirement for consumer groups such as Which? to be able to bring class actions on behalf of large groups of consumers who have been subject to a data breach. The Government initially ignored that and then tabled an amendment for that to be done on an opt-in basis. Given the revelations about Cambridge Analytica and the fact that none of us knows whether we are included in the 50 million Facebook profiles that have been hacked, will the Government reconsider their position and move to an opt-out basis in line with European Union law?

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

I beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—

“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.

2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”

It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.

Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.

I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.

I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.

Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake

“a periodic review, at least every four years”

to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.

As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek

“mechanisms to facilitate the effective enforcement of legislation”.

This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must

“have regard to”

various things that happen at European Union level, including

“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.

The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.

Darren Jones

- Hansard -

Copy Link

-

I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.

This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.

The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would

“incorporate, with any modifications which he or she”—

that is the Information Commissioner—

“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.

There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.

I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.

Darren Jones

- Hansard -

Copy Link

-

I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.

From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.

The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.

Darren Jones

- Hansard -

Copy Link

-

My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.

The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.

Darren Jones

- Hansard -

Copy Link

-

I agree with my hon. Friend. The reality may be that under the wording in the Bill, the Information Commissioner has no choice but to apply and incorporate the European data protection board’s decisions if it is to keep up and maintain adequacy.

That is why the amendment is not something to worry about. It seeks to do what will probably happen in practice, but it puts our commitment to that relationship in the Bill. When we say to Europe that, uniquely, unlike any other third country and despite not being a member of the European Union, we want to have a position of influence on the EDPB, we can also say that we recognise that no one else has that level of influence, but in seeking to have it, we have made commitments to that future relationship in UK legislation.

I do not think any other Members here are members of the European Scrutiny Committee, but I spent the whole of yesterday afternoon losing votes on amendments to a report, and I rather enjoyed myself, so I will press this amendment to a vote.

Question put, That the amendment be made.

Darren Jones

- Hansard -

Copy Link

-

I promise not to speak at every opportunity today, Mr Streeter; I am conscious that it is a Thursday and that Members have constituencies to get to, but on this point I will just add my support to the amendment tabled by my right hon. Friend the Member for Birmingham, Hodge Hill.

The Bill puts us in a position that we should not have been in in the first place. The Government’s original view was that they were not going to implement article 80 of the GDPR; they have now gone one step in that direction, and I support the aim that we go the whole hog.

I recognise from my work previous to being an MP that a lot of tech companies are not evil; they want to do the right thing and go about being successful as businesses. It was partly my job in the past to look at these areas of law on behalf of companies, and to work with campaigning groups, regulators and others. It was about being an internal voice to make sure that there was the correct balance within businesses was correct between considering consumers and being pro-business. This amendment would help to facilitate that conversation, because if bodies such as Which? that are private enforcers on behalf of consumers had these legal rights, then of course there would be an obligation on businesses to have ongoing dialogue and relationships. They would have to make sure that consumers’ concerns were at the forefront and that they were doing things in the right way.

The balance to be struck is really important. The Information Commissioner’s Office, for example, has lost quite a lot of staff to other companies recently. The Minister’s Department had to increase the salary bands for ICO staff to try to keep them there. In other sectors of the regulated economy, having private enforcers on behalf of consumers as a collective group works perfectly well for existing regulators.

In the telecommunications sector, in which I have worked in the past, there is Ofcom, which regulates the telecom sector, but there is also Which?, working as a private enforcer under the Consumer Rights Act 2015, which can act on behalf of consumers as a group. That works perfectly well and as my right hon. Friend said, private enforcers will not just start bringing these super-complaints every week, because the risk would be too high. They will only bring these super-complaints when they have failed in their dialogue and have no choice.

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

I beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—

“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.

2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”

It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.

Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.

I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.

I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.

Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake

“a periodic review, at least every four years”

to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.

As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek

“mechanisms to facilitate the effective enforcement of legislation”.

This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must

“have regard to”

various things that happen at European Union level, including

“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.

The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.

Darren Jones

- Hansard -

Copy Link

-

I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.

This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.

The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would

“incorporate, with any modifications which he or she”—

that is the Information Commissioner—

“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.

There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.

I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.

Darren Jones

- Hansard -

Copy Link

-

I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.

From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.

The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.

Darren Jones

- Hansard -

Copy Link

-

My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.

The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.

Darren Jones

- Hansard -

Copy Link

-

I agree with my hon. Friend. The reality may be that under the wording in the Bill, the Information Commissioner has no choice but to apply and incorporate the European data protection board’s decisions if it is to keep up and maintain adequacy.

That is why the amendment is not something to worry about. It seeks to do what will probably happen in practice, but it puts our commitment to that relationship in the Bill. When we say to Europe that, uniquely, unlike any other third country and despite not being a member of the European Union, we want to have a position of influence on the EDPB, we can also say that we recognise that no one else has that level of influence, but in seeking to have it, we have made commitments to that future relationship in UK legislation.

I do not think any other Members here are members of the European Scrutiny Committee, but I spent the whole of yesterday afternoon losing votes on amendments to a report, and I rather enjoyed myself, so I will press this amendment to a vote.

Question put, That the amendment be made.

Darren Jones

- Hansard -

Copy Link

-

I promise not to speak at every opportunity today, Mr Streeter; I am conscious that it is a Thursday and that Members have constituencies to get to, but on this point I will just add my support to the amendment tabled by my right hon. Friend the Member for Birmingham, Hodge Hill.

The Bill puts us in a position that we should not have been in in the first place. The Government’s original view was that they were not going to implement article 80 of the GDPR; they have now gone one step in that direction, and I support the aim that we go the whole hog.

I recognise from my work previous to being an MP that a lot of tech companies are not evil; they want to do the right thing and go about being successful as businesses. It was partly my job in the past to look at these areas of law on behalf of companies, and to work with campaigning groups, regulators and others. It was about being an internal voice to make sure that there was the correct balance within businesses between considering consumers and being pro-business. This amendment would help to facilitate that conversation, because if bodies such as Which? that are private enforcers on behalf of consumers had these legal rights, then of course there would be an obligation on businesses to have ongoing dialogue and relationships. They would have to make sure that consumers’ concerns were at the forefront and that they were doing things in the right way.

The balance to be struck is really important. The Information Commissioner’s Office, for example, has lost quite a lot of staff to other companies recently. The Minister’s Department had to increase the salary bands for ICO staff to try to keep them there. In other sectors of the regulated economy, having private enforcers on behalf of consumers as a collective group works perfectly well for existing regulators.

In the telecommunications sector, in which I have worked in the past, there is Ofcom, which regulates the telecom sector, but there is also Which?, working as a private enforcer under the Consumer Rights Act 2015, which can act on behalf of consumers as a group. That works perfectly well and as my right hon. Friend said, private enforcers will not just start bringing these super-complaints every week, because the risk would be too high. They will only bring these super-complaints when they have failed in their dialogue and have no choice.

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

Thank you, Mr Hanson. It is a pleasure to serve under your chairmanship on my first Bill Committee.

I rise to support the comments made by my right hon. Friend the Member for Birmingham, Hodge Hill about the importance of adequacy and its link to article 8 of the charter of fundamental rights, and therefore in support of new clause 12. The Bill is pragmatic in seeking to bring GDPR principles into areas of non-EU competence and to provide a legislative parking space for GDPR if the UK leaves the European Union. However, we cannot get away from the fact that GDPR in itself has a legal basis that is anchored to the European charter of fundamental rights. In trying to copy and paste that level of protection into UK law, we must therefore also bring with it the fundamental rights to which it is attached.

Darren Jones

- Hansard -

Copy Link

-

Of course the hon. Gentleman is right that the article includes principles of data protection, but we are trying to make the Government’s job in seeking the decision on adequacy with the European Union as easy as possible. This seems an easy way to facilitate that. Clearly, there is a dereliction of fundamental rights through not copying and pasting this across into UK law. Although there are data protection principles under the European convention on human rights, article 8 states:

“Everyone has the right to respect for his private and family life, his home and his correspondence.”

That does not sound very modern or digital to me. Although rights flow from that, the charter rights on communications—specifically electronic communications— seem much more fit for the future. I welcome the Secretary of State’s comments that the Bill seeks to make our country fit for the future. Let us rely not on a world of manual correspondence, but on one of electronic communications.

The new clause is not ideological; it does not seek to rebalance power between business controllers and individual citizens. It merely seeks to replicate what is in law today: a basic and fundamental human right that seems to me and to others to be perfectly sensible. Only yesterday, I was in Brussels with the European Scrutiny Committee, meeting Mr Barnier. He talked positively about wanting to get agreement on data adequacy, given its importance—not least because 11% of global data flows come to the UK, 70% of which are with the EU. It would be a disaster for this country if we did not have adequacy, so let us make our job easier to effect that shared aim across the Floor of the Committee and with our counterparts in Europe of seeking a decision on adequacy. Let us put this new clause into the Bill, so that we maintain the position that our data subjects have today: a fundamental right, which is in the European charter of fundamental rights, and in the future will be in this Bill.

Darren Jones

- Hansard -

Copy Link

-

The right exists in its own right in the European charter of fundamental rights. That is why European Courts refer to it when making decisions. If the Courts did not think that it was an established right in itself, they would refer to the other sources of legislation that the Minister mentioned. It therefore must, as a matter of logic, be a legal right that is fundamental; otherwise, the Courts would not refer to it.

On the Minister’s original comments about the consequences of the new clause, I think they are clear in the drafting. Subsection (2), as my right hon. Friend the Member for Birmingham, Hodge Hill said, states that processing personal data must comply with GDPR and the derogations in the Bill, and the consequences of subsection (3) are that the Information Commissioner should ensure compliance. In ensuring compliance, the commissioner will look to GDPR and the Bill to understand the consequences of a breach of a fundamental right that already exists.

Darren Jones

- Hansard -

Copy Link

-

Does the Minister recognise that, under the European Union (Withdrawal) Bill, the application of the EU acquis—EU law—is based on legislation that existed before the point of exit? It will not continue to apply to new legislation and developments after the point of exit. The new clause needs to be in the Bill to maintain that position for the future; we must not just look back into the past.

Darren Jones

- Hansard -

Copy Link

-

I have a copy of the general data protection regulation here. Recital 1 on the first page states:

“The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union—”.

Is it not the case, to use some imagery here, that at the moment the GDPR is built on a foundation as on page one of this fundamental right in the same way as a house is built on strong foundations? Are we now not seeking to build the same house but without the foundations? Does this risk us sinking our decision on adequacy?

Darren Jones

- Hansard -

Copy Link

-

The Minister said that Europe provides that the age range is between 13 and 16. In fact, the GDPR says the age for consent is 16, but that member states can derogate down to 13. I do not wish to be an annoying lawyer, but it is an important distinction. Our colleagues in Europe are saying that the age they deem to be appropriate is 16, but they are giving member states flexibility to go lower. Interestingly, article 8(2) talks about how reasonable efforts need to be taken to verify age and consent

“taking into consideration available technology.”

My view is that, on these types of issues, there should be better technology for age verification as part of using online services and, where children’s data is being used to commercialise and monetise for the purposes of advertising, there should be additional safeguards for children.

I ask the Minister only to keep an open mind in the future, so that when we get to a position where technology providers can verify the age of children—I appreciate that is perhaps currently a little difficult—if industry does not move voluntarily to this position, the Government consider regulating in that regard.

Darren Jones

- Hansard -

Copy Link

-

On a point of order, Mr Hanson. I think I was remiss in not declaring my interest at the start of my contributions to today’s proceedings. With your permission, I seek to rectify that.

Darren Jones (Bristol North West) (Lab)

- Hansard -

Copy Link

-

Hundreds of thousands of the British people, Lord Leveson and now the revelations from Mr Ford have made it clear that this matter is not closed, which might lead the public to ask: what is there to hide? Why will the Secretary of State not just let Leveson 2 take place, so that he can once and for all put a line under it and show that, as he attests, the world has indeed moved on?