Chi Onwurah (Newcastle upon Tyne Central) (Lab)

- Hansard -

Copy Link

-

I am a proud member of two trade unions.

Chi Onwurah

- Hansard -

Copy Link

-

Q The Bill’s intent is to reduce burdens on organisations while maintaining high data protection standards. Do you agree that high data protection standards are promoted by well-informed and empowered citizens? What steps do you think the Bill takes to ensure greater information empowerment for citizens?

John Edwards: Yes, I do believe that an empowered citizenry is best placed to enjoy these rights. However, I also believe that the complexity of the modern digital environment creates such an information asymmetry that it is important for strong advocates such as the Information Commissioner’s Office to act as a proxy on behalf of citizenry. I do not believe that we should devolve responsibility to citizens purely to ensure that high standards are set and adhered to in digital industries.

Chi Onwurah

- Hansard -

Copy Link

-

Q Thank you, Mr Hollobone. We have heard that the intent in the Bill is in part to reduce the burden on organisations from data protection. We heard you set out what some of those burdens might be. The organisations affected by this Bill, and the organisations with which you work in different ways, operate in different jurisdictions. I think you, Ms Artz, set out quite well the challenges of having—or trying to have—the same regime in different jurisdictions. If forced to make a choice between following the European Union regime and following a divergent UK regime, what choice would the organisations with which you work make?

Chi Onwurah

- Hansard -

Copy Link

-

Mr Ustaran, please.

Eduardo Ustaran: This is a question that many organisations that operate globally face right now. You must understand that data protection law operates all over the world and data flows all over the world, so consistency is really important in order to achieve compliance in an effective way. Therefore, a question—a very valid question—is, “Do I comply with the EU GDPR across the board, including in the UK, or should I make a difference?”

The reality is that when you look at the way in which the UK data protection framework is being amended, it provides a baseline for compliance with both the UK and EU regimes, in the sense that much of what is being introduced could potentially be interpreted as already being the case in the EU, if you apply perhaps a more progressive interpretation of EU law. Therefore, I think we should look just a little bit further than just saying, “Well, if I do comply with EU law, will I be all right in the UK?”

Maybe the way to look at it—something I see some organisations exploring—is, “If I were to take the UK interpretation of the GDPR on a wholesale basis, would that allow me to operate across the world, and certainly in the EU, in a more effective and efficient but still compliant way?” This is something that companies will be exploring, and it is not as easy as simply saying, “Well, I will just do EU law across the board.”

Chi Onwurah

- Hansard -

Copy Link

-

Could I—

Chi Onwurah

- Hansard -

Copy Link

-

Q Mr Combemale, you set out some of the challenges of having centralised cookie management, and how that would give more power to the browsers. What you did not set out was how we could give more control and power to customers—citizens—over how they use their data. What are you doing to ensure that consumers have more control over how their data is used? You talked about the little thing that you can click to stop our personal data being used—that has been in place for some time now and it is great. If we have the time, Mr Ross, what is your sector doing as well, because the technology should be there to help and empower people?

Chris Combemale: I think a lot of what our sector does voluntarily—setting aside the legislation—is the creation of what are called permission centres. You will be familiar with them from when you go to a website and it asks about categories of information or products that you are interested in. That allows consumers to express their interest. Within the legislation there is very clear data notification, required at the point that data is collected, which requires companies to ask you what you want to do. Whether it is consent or legitimate interest, consumers always have the right to opt out.

With marketing, there is an absolute right to ask not to receive marketing of any kind, whether that is email, direct mail or telephone, at any time. Companies have an obligation to follow that. When it comes to marketing, which is my subject matter expertise, consumers are very well protected and do exercise their rights to opt out. They are further protected by central services, for example the telephone preference service. That is a law that companies can look up; 70% or so of households have registered their telephone number there. I think there are a large number of protections in place, both through the legislation and voluntarily.

Chi Onwurah

- Hansard -

Copy Link

-

Q Dr Tennison, could you give an example of the kind of abuse that you are most concerned about taking place if this Bill is passed unchanged, so that we can better understand your concern? And do I have time to ask—

Chi Onwurah

- Hansard -

Copy Link

-

Great. Ms Thomas, presumably all the automated decisions will be subject to employment law. Would employees have the information they need to appeal decisions and take them to an industrial tribunal?

Dr Tennison: You asked what kind of abuse I am particularly concerned about. I echo some of Anna’s concerns around the work context and what that looks like. We have recently been doing some case studies, which again I can share, and they really bring home the kinds of issues that workers are subject to as automated decision making is rolled out in organisations.

More broadly, though, I am concerned about the gradual drift of reducing trust in the public sphere when it comes to the use of data by Governments and organisations. In some ways, I am more concerned about this leading to people not adopting technology and opting out of data collection because they are worried about what might happen. That would hold us back from the progress and the good uses of data that I would really like to see.

Michael Birtwistle: I agree with that very much. We need to think about past public concern around GP data sharing, contact tracing and the Ofqual exams algorithm. When people see their data being used in unexpected ways, or in ways that make them feel uncomfortable, they withdraw their consent and support for that use, and we as a society lose the benefits that data-driven technology can bring.

Anna Thomas: Employment law and the other laws in that context certainly help in some areas; for example, there is unfair dismissal protection, and redundancy protection under the information and consultation regulations. However, it is a patchwork, and it is not clear. Clarity is needed for businesses, to reassure people at work that the principles in the AI White Paper ultimately apply to their data, and to promote prosperity and wellbeing as widely as possible.