Leaving the EU: Data Protection

Darren Jones Excerpts
Thursday 12th October 2017

(7 years, 2 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Matt Hancock Portrait Matt Hancock
- Hansard - - - Excerpts

What it means is that the arrangements are harmonised right now. Should the Data Protection Bill become an Act, as I sincerely hope it will—it does have cross-party support—our existing arrangements at the point of exit will be harmonised. What happens after that will depend on the negotiation of our future relationship, with the UK being sovereign. The point is to ensure that the technical details are informed by high-quality UK technical considerations and the capability of the Information Commissioner’s Office. This is, of course, subject to negotiation. We set that out as something we wanted to consider when we published the paper in the summer, but, as the right hon. Gentleman may have heard, we are not yet on to negotiating our future relationship, although we are looking forward to that happening.

During the summer, we published the future partnership paper, which sets out how we ensure the continued protection and uninterrupted exchange of personal data between the EU and the UK. The purpose of setting that out was to offer stability and confidence to businesses, public authorities, charities and individuals. My message to business in particular is very clear. We understand how important this matter is. We know that it is in the strong self-interest of the UK and the EU to get a good deal that involves the unhindered free flow of data. The new partnership should protect the privacy of individuals and respect the UK’s sovereignty, including the UK’s ability to protect the security of its citizens and to maintain and develop its position as a leader in data protection. Ensuring that we protect privacy while also allowing for the innovative use of big data so that the UK can be a world leader in artificial intelligence are the joint goals of the Data Protection Bill.

Darren Jones Portrait Darren Jones (Bristol North West) (Lab)
- Hansard - -

On the point about what the general data protection regulation provides as an opportunity, does the Minister recognise that it will actually be implemented through a statutory instrument under the European Union (Withdrawal) Bill? Does he agree that we should therefore have a debate in the House on that SI when we get the opportunity?

Matt Hancock Portrait Matt Hancock
- Hansard - - - Excerpts

I am sure that the Under-Secretary of State for Exiting the European Union, my hon. Friend the Member for Worcester (Mr Walker), will have heard that point—this is a bit like a return to business questions from earlier. Parliamentary procedure is a matter for that Bill, but the hon. Gentleman has made his case. It is very important that the element of the GDPR that is directly applicable and therefore not in the Data Protection Bill is brought into UK law. However, we have designed the Bill so that that can slot directly in, meaning that once we leave, the UK should have a fully consistent, full-spectrum data protection regime under our legislation.

The new relationship should also not impose unnecessary additional costs on businesses and must be based on the objective consideration of evidence. Furthermore, because many of these issues are technical, we will continue to seek ongoing regulatory co-operation between the EU and the UK on current and future data protection issues. By doing that, we will build on the opportunity of a partnership between global leaders on data protection and continue to protect the privacy of individuals. As the paper that we published in the summer reiterates, it is important that we provide clarity and certainty for businesses and individuals as soon as possible, so that data flows are not disrupted when the UK leaves the EU. In addition, this is part of a wider global debate about the flow of data, because it is also incredibly important that we get right our data relationship with the United States, Japan and others.

--- Later in debate ---
Robert Neill Portrait Robert Neill
- Hansard - - - Excerpts

My hon. Friend is right and I pay tribute to the work that she did on this and several other issues for the United Kingdom during her time as a Member of the European Parliament.

The evidence given to the Justice Committee was clear that these are interlocking parts of a criminal justice co-operation system and we cannot cherry-pick some bits and not others. It is important that we find ways of maintaining equivalent means of access across the board on these criminal justice co-operation measures. I have mentioned ECRIS and I hope that the Minister will reassure us that finding a way to stay in it is a high priority for the Government.

We should also wish to remain in the second-generation Schengen information system as it gives the UK real-time access to all European arrest warrants. The European arrest warrant is a valuable tool and it is a great help to British law enforcement agencies. I say that as someone who worked as a barrister in criminal law for 25 years before I came to the House. That was at a time when we did not have that means of getting back from abroad villains who had committed crimes in this country. It is a great advantage that we do now have that ability, and since certain amendments were made to the way in which it operates, there are many more safeguards for UK citizens when an EAW is issued than was previously the case. It is a tool that has been refined and improved, and it would be a great advantage for us to stay in it.

SIS II—I apologise for all the acronyms—is also important because it contains, for example, alerts on missing persons. In all, it gives us access to 66 million pieces of data, which helps our justice system, and it is important that we continue to have access to it. The National Crime Agency said:

“Loss of access to SIS II would seriously inhibit the UK’s ability to identify and arrest people who pose a threat to public safety and security and make sure that they are brought to justice.”

I hope that the Minister will confirm that that, too, is a high priority for the Government.

Darren Jones Portrait Darren Jones
- Hansard - -

I stress my agreement with the hon. Gentleman’s remarks about these sharing systems. An example given to me by the Avon and Somerset constabulary involved the awful case of a member of the public viewing child pornography live in this country. Through data-sharing with the continent, the police services in Spain were able to raid the person delivering the data and bring to an end the crimes being committed here and in Europe. Such data sharing must continue, to protect our constituents and our friends on the continent.

Robert Neill Portrait Robert Neill
- Hansard - - - Excerpts

The hon. Gentleman is right, and that was the tenor of the evidence that we heard from all the law enforcement agencies. The benefits of data have also meant that crime has been internationalised in a raft of ways, including of course classic cyber-crime, but also in international fraud, organised crime and, sadly, sexual offences through the internet. Having a full range of measures to deal with those issues is critical.

--- Later in debate ---
Darren Jones Portrait Darren Jones (Bristol North West) (Lab)
- Hansard - -

I declare my interest as set out in the Register of Members’ Financial Interests. I pay tribute to my hon. Friend the Member for Warwick and Leamington (Matt Western) for the excellent curry in his constituency. As one of the few vegan MPs, I will happily visit and partake of the curried tofu if there is a vegan option; perhaps it will be better than that served in the Members’ Tea Room, grateful though I am for the option.

I was somewhat confused when I saw this debate on the Order Paper, not least because the Data Protection Bill is in the other place and scheduled to arrive here in due course, as the title was, “Exiting the European Union and Data Protection”. I therefore came with great hope—indeed, hope is the watchword of today—that the debate might be about some updates on how we will seek an agreement on adequacy with the European Union. Given that we are relying on hope and on some form of adequacy agreement—to proceed without an adequacy agreement would be, much like the rest of the Brexit policy, completely incoherent—I hope that the Minister will keep us posted on the progress that is being made towards an agreement, the timelines for doing so and the headway made in conversations about it.

We have a very short period in which to implement complicated and wide-ranging new laws. The Data Protection Bill, as we have heard today, incorporates not just GDPR issues for non-EU areas of competency, but matters of law enforcement and other things that have wide-ranging implications for our country and our laws. Those things must fit around the GDPR, which, as I said in my earlier intervention, will probably become law through a statutory instrument under the European Union (Withdrawal) Bill. I restate my ask of the Government that we should have the opportunity to debate that statutory instrument in substance in this House, not least because some of its important provisions require debate to guide businesses in my constituency and across the country on their application. An example concerns the right to human intervention when a decision has been made using profiling and automated processes—things such as algorithms. Many of my hon. Friends and other members of the Select Committee on Science and Technology will be looking at that issue, but some have grave concern about whether, when we bring in machine learning and changing algorithms, it is even possible to deliver the right to human intervention.

The Bill, which already covers many areas of law, is the start of a wider conversation that includes the network and information security directive and—to go to the important question of marketing, which my right hon. Friend the Member for East Ham (Stephen Timms) spoke about—the e-privacy regulation. How will those fit together? How will businesses, charities and other organisations, many of which do not have rooms full of lawyers and compliance specialists to help them to implement the law, know how everything fits together?

The Prime Minister and—dare I say?—her most ill-informed Brexiteer MPs seem happy with the idea of a no-deal hard Brexit. Many people can visualise lorries on the border, unable to export British goods to the continent. The same would be true for data. With a hard Brexit, there would be a standstill, and there would be blockages on the border for data. Much as with the goods in those trucks in Dover and in the port of Avonmouth in Bristol North West, that would be a disaster for business, consumers and importantly, as we have heard, for policing and the prevention of criminal activity.

Alison Thewliss Portrait Alison Thewliss
- Hansard - - - Excerpts

The issues that the hon. Gentleman is setting out are crucial to the whole Brexit debate. Would he agree that one of the major inadequacies of the debate until the referendum was that such issues were not debated and that they were not well understood?

Darren Jones Portrait Darren Jones
- Hansard - -

I agree with that sentiment. Dare I say it, but very few Government Members are present? Although my right hon. Friend the Member for East Ham said this may be an anorak issue, it is in fact crucial to our economy, our new civil liberties and the type of country we want to live in. We should be having such a debate, and I again restate our request that we should do so in this House not only on the Data Protection Bill, but on the GDPR statutory instrument.

I am looking forward to the Data Protection Bill and I am excited about the Committee stage, but I will take this opportunity to address some of the strategic issues that many Members have mentioned: first, the basis of data protection law in the European charter of fundamental rights, on which I will not revisit the arguments already made but will, I hope, add something interesting and new to the debate; secondly, the incoherence between the necessity to mirror EU law and the Government’s illogical policy approach on Brexit; and lastly, the rights and protections of children.

First, as we have heard in this debate, the Government have made it clear that the European charter of fundamental rights will be revoked under the European Union (Withdrawal) Bill. The Minister said that the GDPR in effect says the same thing, but article 8 of the charter, which underpins the GDPR, is referenced in article 45 of the GDPR. If the GDPR is referencing out to statutory, fundamental rights and we take that anchor away, we must replace it elsewhere. I will therefore support the amendment to the Bill proposed by my right hon. Friend the Member for East Ham, to ensure that that happens.

Matt Hancock Portrait Matt Hancock
- Hansard - - - Excerpts

I am sorry to intervene, but I have already explained that because European jurisprudence is being brought into UK law, references to the charter in existing case law will be brought into UK law, which satisfies the hon. Gentleman’s demand.

Darren Jones Portrait Darren Jones
- Hansard - -

With respect to the Minister, I am not persuaded that that will be agreed by the European Commission. Of course ECJ jurisprudence will be Supreme Court jurisprudence in this country and will be referenced by judges in that Court, but without a statutory anchor ensuring that the fundamental right is, in their view, in favour of the consumer and the data subject, we risk divergence on the application of the rules.

I want to mention the right of collective address. Under the GDPR, bodies can campaign and bring actions against data controllers in the interests of consumers and data subjects as a whole. This works very well in other areas of the law in this country, such as the Consumer Rights Act 2015. Under that Act, Which?, as a private enforcer against unfair terms, can act on behalf of consumers. For some reason, the Government have decided not to adopt such an approach in the Data Protection Bill. I look to the Minister in his closing remarks to explain why he does not think organisations should be able to bring actions for collective redress on behalf of data subjects. Many data subjects may not be able to enforce their own rights as individuals but rely on such organisations to act in their interests.

On fundamental rights more broadly, I am still confused. I hope that the Minister will provide clarification in this final debate of the week by showing how, although we must maintain fundamental rights, we are also removing them. It is much like being in the single market and leaving it, much like being in Europe but not being in Europe, and much like protecting fundamental rights and not protecting them. What is the answer? The Data Protection Bill seeks to ensure transparency and accountability, and in the light of that theme, I hope the Minister will respond on fundamental rights.

Secondly, if we are successful in seeking an adequacy agreement, it is then for us to maintain equivalence as part of that developing area of EU law, as other Members have said. That will require the UK to adopt the decisions of the newly created European Data Protection Board, which is subject to the jurisprudence of the European Court of Justice. Yet the Government insist that we can be both in and out, which is ludicrous, as I have said. They also say that we can be in it without being subject to the rules, but we know that that is a fallacy. Will the Minister confirm whether the Government’s policy is to get an adequacy agreement either this year or next year, only for it to be revoked in a few years’ time because we do not want to be subject to the jurisdiction of the ECJ? We must be subject to its jurisdiction if we are to maintain adequacy, but we will be forever on the cliff edge of being concerned that adequacy will be removed—as it was from the United States of America by the European Commission—and that is the risk our businesses, our consumers, our charities and others fear.

Lastly, I wish to address the rights and protections of children. I will return to this topic in detail on Second Reading. It is a great disappointment that the European Union has backtracked and pulled back slightly on this issue, so that instead of having a harmonised rule saying that children deserve extra protections—especially in the context of understanding how their use of online products and services means giving over personal data, how that personal data is profiled and how advertising is targeted on children—the European Union decided to provide member states with a range of ages to choose from, from 13 to 16.

As my hon. Friend the Member for Cardiff West (Kevin Brennan) said, the UK opted for the age of 13 as the minimum GDPR requirement. I think that is the wrong decision and, according to polls by YouGov, 80% of parents agree with me. However, I encourage us to be intelligent about the way we regulate to support children. It is obvious that if we put in these frameworks children may find ways to use the systems anyway. No doubt there are a number of children under the age of 12 and 13 using social media sites today. We must make sure that the regulation is—dare I say?—with the kids. It needs to make sense and it needs to work properly. I look forward to having that debate and no doubt a shared aim.

As we prepare for the arrival of the Data Protection Bill, this is the first glimpse of a major piece of proposed legislation that highlights the enormous challenges with implementing Brexit. It is not just an issue of primary law for many of the issues we have talked about today; it is about clear rules and about compliance by those subjected to it. On clear rules, I refer to comments made by the Baroness Lane-Fox on Second Reading in the other place, when she pulled out a particularly entertaining section the Data Protection Bill, which reads:

“Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR… In this Chapter, ‘the applied Chapter 2’ means Chapter 2 of this Part as applied by this Chapter”.

Other than that sounding like something out of the “Yes Minister” comedy series, it says to me, as a former lawyer, expense. People will be concerned—quite frankly, charities and other groups will be terrified—about getting this wrong. They will have to endure huge compliance costs in trying to implement what should be clear rules into their business.

Following on from what the hon. Member for Chelmsford (Vicky Ford) said—she is not in her place—on compliance and guidance from the ICO, I stress this point with the Minister: many businesses want to do the right thing. They wait on guidance from the ICO and others to tell them what the law means and how they will seek to enforce that law. However, much guidance has either been delayed or is not yet with us. The guidance that has been provided is not, in many cases, sufficiently clear either. We must support the ICO properly to ensure it can provide that service, and we must make sure that people know how to comply with the law.

The UK is, as we have heard, one of the world’s leading digital economies. Bristol is one of the largest digital economies outside of London, and we lead the way on these issues in the world. We have the opportunity to set the tone in becoming a global hub for the world’s digital economy based not only on trust, accountability and security, but on business innovation and leadership. I look forward to helping the Government in this House to get that right.

--- Later in debate ---
Matt Hancock Portrait Matt Hancock
- Hansard - - - Excerpts

I think the right hon. Gentleman is wrong on this point, which no doubt we will debate during the passage of the Bill. We know of no other jurisdiction with an adequacy deal that has been required to put the charter into law. Such a requirement has not been imposed anywhere else, so there is no reason for it in this case. The charter is a summary of laws present elsewhere and we are bringing the jurisprudence into UK law. Our goals are the same; in a sense, the question is a legal one. The fact that such a requirement has not existed in any other adequacy arrangements implies that the issue should not be problem for us, not least because of our strong legal basis for bringing GDPR into UK law.

On mail and direct marketing by post, I should like to correct the right hon. Gentleman slightly. Data controllers will need a legal basis for this under GDPR, but article 6 sets out a number of potential legal bases, not only consent. That does not change the reality on the ground from the current data protection arrangements. I hope that I have provided adequate reassurance.

The right hon. Gentleman and the hon. Member for Leeds North West (Alex Sobel) raised article 8, as did others. I am clear about the strength of the assurance that I have given and I hope that Opposition Members accept it. When private businesses consider their future arrangements, I hope that Members on both sides will make clear our determination to get a deal that is as good as adequacy, if not better. We want people to continue to do business and thrive here in the UK.

My hon. Friend the Member for Chelmsford, whom I have mentioned a couple of times, made a powerful and informed speech. Of course we think that the passenger data transfer is important; the referendum does not change how important it is. The EU already has third country arrangements in place with others, so we see no reason why the issue cannot be fixed. I am also sure that Chelmsford is a happy place to live; I wonder whether that is down to my hon. Friend or her ebullient predecessor.

I also agree with my hon. Friend that we must be vigilant and not gold-plate the Data Protection Bill through Information Commissioner’s Office guidance. No doubt we will discuss that during the passage of the Bill. I have regular conversations with the ICO about exactly that issue. We want guidance to come out early. In some cases, the ICO is having to wait for guidance from the Commission and that causes the delay—it is not the fault of the Information Commissioner. But we do want guidance to be in clear, simple language, not gold-plated, and to come out as early as is reasonably practicable. I thank the Information Commissioner and all her team for her excellent work.

Darren Jones Portrait Darren Jones
- Hansard - -

The Minister says that the guidance should come out early, but it is already too late in respect of direct applicability of the general data protection regulation for many businesses, which may need to carry out major systems changes if guidance says something that they are not expecting based on interpretation of the article. Will he say to the ICO that, where guidance is late and that makes it harder for organisations to make those changes, there will be some leeway when it comes to enforcement?

Matt Hancock Portrait Matt Hancock
- Hansard - - - Excerpts

The hon. Gentleman speaks like a true lawyer. The hon. Member for Cardiff West said that the hon. Gentleman had been outed as a lawyer during this debate—my goodness, he outs himself as a lawyer from the first moment he strikes his posture in this Chamber. He is obviously a lawyer and that latest point only proves it further. The ICO has already said that, and it is well worth reading the Information Commissioner’s Cambridge speech from a couple of months ago, which set out that reassurance. The hon. Gentleman asked about timing and complained about there not being an agreement already. We want to get on and discuss the future relationship, and the Government have made that clear; it is the European side that is blocking progressing on to the future relationship. I hope that we can get on and discuss it forthwith.