Mr Vaizey

- Hansard -

Copy Link

-

I understand the hon. Gentleman’s point, but I want to see self-regulation and voluntary action by organisations on the internet. That is a theme that I want to develop in my speech—I have only one hour and 10 minutes remaining, so I will try to speed up a bit. We have a code of practice that many companies say they adhere to, so that information should be made available to consumers. Critical momentum could be built up if more well-known and legitimate websites signed up to the code, made that plain on their home pages and allowed consumers to see what that code states.

Mr Vaizey

- Hansard -

Copy Link

-

I could not agree more with my hon. Friend. I used to be a lawyer; he used to be a marketer. Marketers are far more useful to society than lawyers. The trouble is that the terms and conditions are written by lawyers who want to cross every t and dot every i to protect their own back in every eventuality. What the consumer wants are easy-to-understand guidelines. That is something that I want to look at with the major internet service providers and websites. I shall expand on that point later in my remarks, probably at about 10 minutes past 5.

The Information Commissioner’s enforcement powers under the Data Protection Act 1998 and the Privacy and Electronic Communication (EC Directive) Regulations 2003 include the issuing of information notices to request information so that he can establish whether legislation is being complied with by an organisation. He can issue enforcement notices if he is satisfied that a data controller—that is, a website—has contravened or is contravening the legislation, for example by failing to process data fairly and lawfully. In addition, the Information Commissioner can issue a civil monetary penalty of up to £500,000 for serious breaches of the Act, although that power only came into force in April 2010. That is an important point, given that I am about to speak about Google Street View and the controversy that surrounds it.

My hon. Friend the Member for Harlow made it clear that part of his reason for calling this debate was to discuss Google Street View and the harvesting of data. Although my hon. Friend the Member for Dudley South (Chris Kelly) is not a civil libertarian, he pointed out that that was possibly the greatest breach of privacy in the history of this country, given the huge amount of data that were collected, although I am not sure that it ranked with the two CDs that went missing from the Inland Revenue.

I am able to update the House on the position. The ICO learned from Google in May that, in addition to the mapping exercise that it was supposed to be undertaking, its Street View cars had unintentionally collected payload data from unsecured wi-fi installations as they passed. It is the Information Commissioner’s job to consider whether in such circumstances there has been a breach of the law. He has been considering the issue and, importantly, has been discussing it with information commissioners in many other countries, including Canada, which my hon. Friend the Member for Dudley South mentioned.

Given that Google reported the breach, the best practice at that point would have been to delete all the data. However, as the Metropolitan police were considering whether the breach warranted an investigation, the data have been kept for evidential purposes. I understand that the police have decided that it would not be appropriate to launch a criminal investigation, so I will meet the Information Commissioner next week to discuss what next step he intends to take in respect of the data, and Google’s breach of data protection. I do not want to pre-empt what the Information Commissioner will decide to do, but normally he would work with the organisation that has committed the breach and put in place mechanisms to ensure that it does not happen again. What is clear is that the Information Commissioner does not have the power to levy a fine because, as I said earlier, that power did not come in until earlier this year.

It is interesting to note that the Federal Trade Commission, which has also been investigating Google’s breach, issued a letter yesterday pointing out that it, too, will not pursue Google on the matter on the basis that, in a series of public round-table events that the FTC hosted during the summer of 2010,

“Google has recently announced improvements to its internal processes to address some of the concerns raised”,

including

“appointing a director of privacy for engineering and product management; adding core privacy training for key employees; and incorporating a formal privacy review process into the design phases of new initiatives. The company also publicly stated its intention to delete the…data as soon as possible”,

and gave assurances that none of the data would be used

“in any Google product or service, now or in the future.”

The other lesson that should be learned from what happened with Street View is that we are in uncharted territory. As the small smart cars with large cameras appeared in our streets, little action was taken by anyone. We took it in our stride—well, my hon. Friend the Member for Milton Keynes North (Mark Lancaster) reminded us that his constituents took action by blockading one of the cars.

My recommendation is that when an organisation undertakes an exercise of that kind in the future, the ICO should put in place ground rules and discuss with it what measures will be taken, so that the organisation does not inadvertently breach data protection rules. I certainly think that if an organisation such as Google decides in the future to undertake a harvesting procedure of that kind, that is what the Information Commissioner should do.

Hon. Members also raised concerns about companies that search the web looking for adverse comments made by customers or staff members on blogs or social networking sites. My hon. Friend the Member for Harlow said that that was out of order. With the greatest respect, I would say to him that that is possibly an example of where we seem to believe that doing something on the internet is wrong when doing something like it offline would be acceptable.

For example, people post comments online. When they do that, they put them into a public space, if they decide not to put in place any privacy settings. They have to comply with the law in the United Kingdom as it stands—the comments cannot be defamatory. This is a matter of judgment for the individual company in terms of its reputation and relationships with its employees and customers, but there is nothing technically wrong in searching websites to see what comments have been made about an organisation. Indeed, as my hon. Friend the Member for Dudley South said, almost poetically, which one of us has not entered their own name in a Google search?

Mr Vaizey

- Hansard -

Copy Link

-

In terms of the UK Council for Child Internet Safety, I think that the issue needs to be addressed. As a matter of principle, we all accept that children deserve greater protection than adults do, whether offline or when accessing content online. We will continue to look at that.

Let us make no bones about it. As the hon. Member for Bath made clear, the key issue is not necessarily the harvesting of data on shopping habits, but the harvesting of data without consent or knowledge. There are some who say for example that Phorm, the company with which BT carried out an experiment, was providing a perfectly legitimate commercial service in allowing organisations to monetise their presence on the web by targeting adverts at certain consumers; if a consumer is particularly interested in a type of car, that advert could appear on screen while they are reading a web page. The website—for example, The Guardian or The Observer—could charge more for that advertisement and, therefore, monetise its online content. That is a legitimate argument, but huge concern was generated because there was no transparency. It was done without consumers’ knowledge and it was unknown what would happen to the data once they were collected or whether they would be transferred to third parties. At the heart of the debate is, above all, transparency over what data organisations harvest and the opportunity for the consumer to choose to opt in.

Mr Vaizey

- Hansard -

Copy Link

-

That is an important part of the debate. I shall talk later about the regulatory framework on e-privacy on which we are consulting, and it will be interesting to see the public’s response. There is certainly a strong argument that the consumer should not only be able to opt in, but know about their right to do so.

We are implementing changes to the e-privacy directive that strengthen privacy regulations in the online world, as part of our implementation of the European framework on electronic communications. We are consulting on those proposals, which could lead to changes to the privacy and electronic communications regulations and strengthen the Information Commissioner’s enforcement powers.

The directive has three key elements. First, effective, proportionate and dissuasive penalties will be introduced for any infringement of the directive’s provisions. Secondly, as part of the implementation of the revised e-privacy directive, we are also consulting on notification procedures for personal data breaches. We propose to ensure that the ICO issues guidance on any change to that notification mechanism and that the guidance will be the subject of a future consultation by the Information Commissioner. Thirdly, other changes to the e-privacy directive address problems with cookies, including any attempt to store information or gain access to stored information in a user’s equipment—using cookies—by requiring the informed consent of the user.

The provision covers legitimate practices that enable the use of many popular websites as well as illegitimate practices, such as spyware and viruses, which are also addressed in other legislation. The Government’s consultation on the implementation of the changes closes in December, and we will publish our response in spring 2011. The new measures will come into force on 26 May 2011.

Implementation of the electronic communications framework is not the only change that we are considering. Following the Lisbon treaty, as well as repeated calls to update the EU’s data protection directive, we expect the European Commission to publish a draft comprehensive instrument for data protection in mid-2011. The new instrument may cover all activities within the scope of European Union law. To inform the UK’s position for those forthcoming negotiations, the Ministry of Justice carried out a call for evidence for three months this summer to gain views on how the current legislative framework is working. Taken as a whole, those changes will usefully strengthen the regulatory framework governing privacy on the internet and will tackle some of the concerns expressed today.

As hon. Members have indicated throughout, there is a fundamental debate about the nature and scope of regulation. Business and the individual have a role to play in ensuring that both users and businesses are aware of their rights and responsibilities online. There is huge scope for self-regulation. The Internet Advertising Bureau has shown how industry can learn from consumer reaction and respond to consumers’ concerns by developing good practice principles. It has developed a website—www.youronlinechoices.co.uk—dedicated to informing consumers about behavioural advertising and offering a simple opt-out mechanism, which it proposed in March 2009, and this country’s advertising industry was the first in Europe to come up with a self-regulatory practice.

Discussions continue to take place between industry bodies at European level. Clearly, greater consumer awareness will help to address many of the concerns raised today and, with the Information Commissioner and industry, we will help with that in so far as is practicable.

I have spoken for almost 40 minutes, so it is time to draw my comments to a close. As a result of this debate and the thinking that went into preparing my comments, I intend to write to the major ISPs and websites, such as Google and Facebook, asking for a meeting. I want to discuss with them not just the general issue of people being aware of what data they may inadvertently be making available online, but the opportunity for redress.

I was struck by the comment from my hon. Friend the Member for Milton Keynes North about the women’s refuge centre whose address was put online, and it was then unable to persuade the organisation that was carrying that information to remove it. That organisation had not deliberately put the information online; it was simply the vehicle on which the information was available. There may be all sorts of reasons why it was difficult to take that information down. It may be that having taken it down, the address simply popped up again elsewhere, but the fact that no meeting or dialogue could take place worries me greatly. I suspect that most hon. Members in the Chamber have had conversations with constituents who have seen information about them online and have simply not known where to turn.

Nominet, the charity that is responsible for internet domain names, runs an extremely effective mediation service, so that people who are disputing the ownership of an internet domain name may be involved in a low-cost process to discuss how to resolve that dispute. It is certainly worth the Government brokering a conversation with the internet industry about setting up a mediation service for consumers who have legitimate concerns that their privacy has been breached or that online information about them is inaccurate or constitutes a gross invasion of their privacy to discuss whether there is any way to remove access to that information. I am sure that many internet companies will say that that is almost impossible, but when one hears stories such as that told by my hon. Friend the Member for Milton Keynes North, one wants at least to attempt to give consumers some opportunity to have a dialogue with internet companies, as they would be able to do if a newspaper had inadvertently published that information.

I hope that hon. Members have found my comments helpful and that I have been able to put into context what is happening with Google’s breach of data on Street View. I have set out my thoughts about personal remarks on the internet, establishing the regulatory regime for cookies and setting out the process that the Government are undertaking to strengthen privacy regulations on the internet alongside our European partners.