Read Bill Ministerial Extracts
Data Protection Bill [Lords] Debate
Full Debate: Read Full DebateDamian Collins
Main Page: Damian Collins (Conservative - Folkestone and Hythe)Department Debates - View all Damian Collins's debates with the Department for Digital, Culture, Media & Sport
(6 years, 6 months ago)
Commons ChamberOf course, I agree entirely with my hon. Friend, and I am glad that he focused on local newspapers, because I referred to two changes. The first is the establishment of IPSO, which I believe in all serious respects is now compliant with what Lord Leveson wanted. The second is the complete change in the media landscape that has taken place in the last 10 years.
My right hon. Friend the Secretary of State mentioned the number of local newspapers that have gone out of business. We are seeing more continue to do so. There is likely to be further consolidation within the newspaper industry and the economics are steadily moving against newspapers. That is a real threat to democracy, because newspapers employ journalists who cover proceedings in courts, council chambers and, indeed, in this place. The big media giants who now have the power and influence—Google, Facebook and Twitter—do not employ a single journalist, so my right hon. Friend is absolutely right to have established the examination into the funding and future of the press. It is about looking forward, and that is where the House should be concentrating its efforts. It should not be looking backwards and going over again the events of more than 10 years ago; the world has changed almost beyond recognition.
My Digital, Culture, Media and Sport Committee colleague, the hon. Member for Newcastle-under-Lyme (Paul Farrelly)—I call him my hon. Friend—raised the recommendations of the Committee last year. One was that for IPSO to be considered compliant in any way with the spirit of Leveson, it should have a compulsory industry-funded arbitration scheme. While IPSO might not be perfect, does my right hon. Friend the Member for Maldon (Mr Whittingdale) agree that this is one of the most significant areas where IPSO has responded to pressure to try to make itself more compliant?
I agree very much with my hon. Friend. Indeed, I would have found it far harder to make the argument that IPSO was basically now compliant with Lord Leveson had it not introduced the scheme that is now in place. That was the biggest difference between the system as designed by my right hon. Friend the Member for West Dorset in the royal charter and IPSO, and that, as my hon. Friend the Member for Folkestone and Hythe (Damian Collins) said, has rightly been removed.
What we do in this debate is being watched around the world. This country is seen as a bastion of freedom and liberty, and a free press is an absolutely essential component of that. I say to those who are proposing these amendments: do not just listen to the newspaper industry, which is, as I say, united against this—that includes The Guardian, despite the efforts of Labour Front Benchers to somehow exclude them. Listen to the Index on Censorship, Reporters Without Borders, the Committee to Protect Journalists—campaigning organisations that are fighting oppression of the press around the world. They say that if this House brings in this kind of measure, it would send a terrible signal to those who believe in a free press. I therefore hope that the amendments will be rejected.
The significance of the Bill and the importance of data and data protection to the economy and the whole of society is reflected in this debate. The fact that amendments have been tabled on Report through the work of three different departmental Select Committees shows how wide-ranging this issue is.
I principally want to talk about amendments 20 and 21, which stand in my name and those of other members of the Digital, Culture, Media and Sport Committee and which are addressed by Government amendments, too. Before I do so, I want to add that the Chair of the Home Affairs Committee, the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper), made a very important point about the fact that some people—particularly those involved in immigration cases—may not have full access to the data rights enjoyed by others. If the Minister can provide any further clarification, I will be happy to give way before I move on.
After the exchange I had with the hon. Member for Newcastle upon Tyne Central (Chi Onwurah), I wanted to confirm that the Home Office will certainly not destroy any data for which there is still a legitimate and ongoing need not just for the Home Office but for data subjects.
I am grateful to the Minister for that further clarification.
Amendments 20 and 21 get to the heart of an issue that has been raised by a number of Members, which is the power of the Information Commissioner to act in data investigations. The Minister, the right hon. Member for Birmingham, Hodge Hill (Liam Byrne) and others have referenced the Cambridge Analytica data breach scandal, which is a very good example of why these additional powers are needed. We raised that in the Select Committee with the Secretary of State. The Information Commissioner raised it with us and it was raised on the Floor of the House on Second Reading.
The ability to fine companies for being in breach of data rules is important, but what is most significant is that we get hold of the data needed by investigators, so that we understand who is doing what, how they are doing it and how wide-ranging this is. It is crucial that the Information Commissioner has the enforcement powers she needs to complete those investigations.
In the case of Cambridge Analytica, an information notice was issued by the Information Commissioner to that company to comply with requests for data and information. Not only did Cambridge Analytica not comply, but Cambridge Analytica and Facebook knew that. That information notice expired at 5 o’clock on the evening of the day when that deadline was set; it was the beginning of the week. Before the notice had expired and a warrant could even be applied for, Facebook had sent in its own lawyers and data experts to try to recover data that was relevant to the Information Commissioner’s request.
The Information Commissioner found out about that live on “Channel 4 News” and then effectively sent a cease and desist note to Facebook, telling it to withdraw its people. She might very well not have been made aware of what Facebook was doing that evening, and data vital for her investigation could have been taken out of her grasp by parties to the investigation, which would have been completely wrong. Not only did that happen—thankfully, Facebook stood down—but a further five days expired before a warrant could be issued—before the right judge in the right court had the time to grant the warrant to enable her to complete her work. We live in a fast-moving world, and data is the fuel of that fast-moving world, so we cannot have 19th or even 20th-century legal responses. We must give our investigatory authorities the powers they need to be effective, which means seizing data on demand, without notice, as part of an investigation, and having the ability to see how data is used in the workplace or wider environment.
The Government are bringing forward amendments, which I think have the support of the House, that will give us one of the most effective enforcement regimes in the world. They will give us the power to do something we have not been able to do before, which is to go behind the curtain to see what tech companies, even major tech companies, are doing and make sure they comply with our data rules and regulations. Without that or an effective power to inspect, we would largely be in the position of having to take their word for it when they said they were complying with the GDPR. Particularly with companies such as Facebook that run closed systems—they have closed algorithms and their data is not open in any way—there are very good commercial reasons for doing so, but there are also consumer safety reasons. We must have the power to go in and check what they are doing, so the amendments are absolutely vital.
There are further concerns. The shadow Minister, the right hon. Member for Birmingham, Hodge Hill, was right to raise concerns about honesty and transparency in political advertising. Both the Information Commissioner and the Electoral Commission are examining the use of data in politics, as well as looking at who places the ads. It is already a breach of the law in the UK, as it is in other countries, for people outside our jurisdiction to run political advertising during election campaigns in this country.
In the case of Facebook, it is unacceptable that its ad check teams have not spotted such advertising and stopped it happening when someone is breaking the law. If this were about the financial services sector, we would not let a company say, “Well, we thought someone was breaking the law, but we weren’t told to do anything about it, so we didn’t”. We would expect such a company to spot it and to take effective action. We need to see a lot more progress on this, particularly in relation to the placement of micro-targeting ads and dark ads. The Institute of Practitioners in Advertising has called for a moratorium on the micro-targeting of political ads, which may be seen only by the person who receives an ad and the person who places it.
When the chief technology officer of Facebook, Mike Schroepfer, gave evidence to the Select Committee, I asked him whether, if someone set up a Facebook page to run ads during a campaign and micro-targeted individual voters before taking down the page at the end of the campaign and destroying the adverts, Facebook would have any record that that advertising had ever run, he said that he did not know. We have written to him and Mark Zuckerberg saying that we need to know, because unless we know, a bad actor could run ads in huge volumes, investing a huge amount of money in breach of electoral law, and if they did not declare it, there would be no record of that advertising ever having been placed.
The Chair of the Select Committee is doing a brilliant job with his investigation, but the argument must stretch further than simply political advertising. For example, when Voter Consultancy Ltd ran attack ads against Conservative Members, accusing some of them of being Brexit mutineers, it was running an imprint for a company that was actually filing dormant accounts at Companies House. There are real questions not just about political ads in the narrow traditional sense, but about how to get to the bottom of who is literally writing the cheques.
The right hon. Gentleman is absolutely right and that throws up two really important points.
The first point is that the Information Commissioner is also currently investigating this, which links to the right hon. Gentleman’s point about where the money comes from and who the data controllers are in these campaigns. Although Facebook is saying that it will in future change its guidelines so that people running political ads must have their identity and location verified, we know that it is very easy for bad actors to fake those things. It would be pretty easy for anyone in the House to set up a Facebook page or account using a dummy email address they have created that is not linked to a real person, but is a fake account. This is not necessarily as robust as it seems, so we need to know who is running these ads and what their motivation is for doing so.
Secondly, the Information Commissioner is also looking at the holding of political data. It is already an offence for people to harvest and collect data about people’s political opinions or to target them using it without their consent, and it is an offence for organisations that are not registered political parties even to hold such data. If political consultancies are scraping data off social media sites such as Facebook, combining it with other data that helps them to target voters and micro-targeting them with messaging during a political campaign or at any time, there is a question as to whether that is legal now, let alone under the protection of GDPR.
As a country and a society, we have been on a journey over the past few months and we now understand much more readily how much data is collected about us, how that data is used and how vulnerable that data can be to bad actors. Many Facebook users would not have understood that Facebook not only keeps information about what they do on Facebook, but gathers evidence about what non-Facebook users do on the internet and about what Facebook users do on other sites around the internet. It cannot even tell us what proportion of internet sites around the world it gathers such data from. Developers who create games and tools that people use on Facebook harvest data about those users, and it is then largely outside the control of Facebook and there is little it can do to monitor what happens to it. It can end up in the hands of a discredited and disgraced company like Cambridge Analytica.
These are serious issues. The Bill goes a long way towards providing the sort of enforcement powers we need to act against the bad actors, but they will not stop and neither will we. No doubt there will be further challenges in the future that will require a response from this House.
I will be very brief, Madam Deputy Speaker, because we are incredibly tight for time.
There is so much in the Bill that I would like to talk about, such as effective immigration control, delegated powers and collective redress, not to mention the achievement of adequacy, but I will concentrate on amendment 5, which appears in my name and those of my hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) and the hon. Member for Brighton, Pavilion (Caroline Lucas).
The amendment seeks to provide protection for individuals where automated decision making could have an adverse impact on their fundamental rights. It would require that, where human rights are or could be impacted by automated decisions, ultimately, there will always be a human decision maker at the end of the process. It would instil that vital protection of human rights in respect of the general processing of personal data. We believe strongly that automated decision making without human intervention should be subject to strict limitations to promote fairness, transparency and accountability, and to prevent discrimination. As it stands, the Bill provides insufficient safeguards.
I am talking about decisions that are made without human oversight, but that can have long-term, serious consequences for an individual’s health or financial, employment, residential or legal status. As it stands, the Bill will allow law enforcement agencies to make purely automated decisions. That is fraught with danger and we believe it to be at odds not just with the Data Protection Act 1998, but with article 22 of the GDPR, which gives individuals the right not to be subject to a purely automated decision. We understand that there is provision within the GDPR for states to opt out, but that opt-out does not apply if the data subject’s rights, freedoms or legitimate interests are undermined.
I urge the House to support amendment 5 and to make it explicit in the Bill that, where automated processing that could have long-term consequences for an individual’s health or financial, employment or legal status is carried out, a human being will have to decide whether it is reasonable and appropriate to continue. Not only will that human intervention provide transparency and accountability; it will ensure that the state does not infringe an individual’s fundamental rights and privacy—issues that are often subjective and are beyond the scope of an algorithm. We shall press the amendment to the vote this evening.