Data Protection and Digital Information (No. 2) Bill Debate
Full Debate: Read Full DebateDarren Jones
Main Page: Darren Jones (Labour - Bristol North West)Department Debates - View all Darren Jones's debates with the Department for Science, Innovation & Technology
(1 year, 8 months ago)
Commons ChamberI refer the House to my entry in the Register of Members’ Financial Interests.
The Bill has had a curious journey. It started life as the Data Protection and Digital Information Bill, in search of the exciting Brexit opportunities that we were promised, only to have died and then arisen as the Data Protection and Digital Information (No 2) Bill. In the Bill’s rejuvenated—and, dare I say, less exciting—form, Ministers have rightly clawed back some of the most high-risk proposals of its previous format, recognising, of course, that our freedom from the European Union, at least in respect of data protection, is anything but. We may have left the European Union, but data continues to flow between the EU and the United Kingdom, and that means of course that we must keep the European Commission happy to maintain our adequacy decision. For the most part, the Bill does not therefore represent significant change from the existing GDPR framework. There are some changes to paperwork and the appointment of officers, but nothing radical.
With that settled—at least in my view—the question is this: what is the purpose of this Bill? The Government aim to reduce regulatory burdens on business. To give Ministers credit, according to the independent assessment of the Regulatory Policy Committee, they have adequately set out how that will happen—unlike for other Government Bills in recent weeks. I congratulate the Government on their so-called “co-design” with stakeholders, which other Departments could learn from in drafting legislation. But the challenge in reducing business regulation and co-designing legislation with stakeholders is knowing how much of an influence the largest, most wealthy voices have over the smallest, least influential voices.
In this Bill—and, I suspect, in the competition Bill as its relates to the digital markets unit, and, if rumours are correct, the media Bill—that means the difference between the voice of big tech and the voice of the people. If reports are correct, I share concerns about the current influence of big tech specifically on Downing Street and about the amount of interference by No. 10 in the drafting of legislation in the Department. [Interruption.] Ministers are shaking their heads; I am grateful for the clarification. I am sure that the reporters at Politico are watching.
Research is a good example of a concern in the Bill relating to the balance between big tech and the people. When I was on the pre-legislative committee of the Online Safety Bill—on which I enjoyed working with the hon. Member for Folkestone and Hythe (Damian Collins), who spoke before me—everybody recognised the need for independent academics to have access to data from, the social media companies, for example, to help us understand the harms that can come from using social media. The Europeans have progressed that in their EU Digital Services Act, and even the Americans are starting to look at legislation in that area. But in the Bill, Ministers have not only failed to provide this access, but have opted instead to give companies the right to use our data to develop their own products. That means in practice that companies can now use the data they have on us to understand how to improve their products, primarily and presumably so that we use them more or—for companies that rely on advertising income—to increase our exposure to advertising, in order to create more profit for the company.
All that is, we are told, in the name of scientific research. That does not feel quite right to me. Why might Ministers have decided that that was necessary—a public policy priority—or that it is in any way in the interests of our constituents for companies to be able to do corporate research on product design without our explicit consent, instead of giving independent academics the right to do independent research about online harms, for example? The only conclusion I can come to is that it is because Ministers were, in the co-design process, asked by big tech to allow big tech to do that. I am not sure that consumers would have agreed, and that seems to be an example of big tech winning out in the Bill.
The second example relates to consumer rights and the ability of consumers to bring complaints and have them dealt with in a timely manner. Clause 7 allows for unreasonable delays by companies or data controllers, especially those that have the largest quantities of data on consumers. In practice, that once again benefits big tech, which holds the most data. The time that it can take to conclude a complaint under the Bill is remarkably long and will merely act as a disincentive to bringing a complaint in the first place.
It can take up to two months for a consumer or data subject to request access to the data that a company holds on them, then another two months for the company to confirm whether a complaint will be accepted. If a complaint is not accepted, there will then be up to another six months for the Information Commissioner to decide whether the complaint should be accepted, and if the Information Commissioner does decide that, the company then has one more month to provide the data, which was originally asked for nine months earlier. The consumer can then look at the data and put in a complaint to the company. If the company does not deal with the complaint, the earliest that the consumer can complain to the Information Commissioner is month 14, and the Information Commissioner will then have up to six months to resolve the complaint. All in all, that is up to 20 months of emails, forms, processes and decisions from multiple parties for an individual consumer to have a complaint considered and resolved.
That lengthy and complex complaints process also highlights the risks associated with the provisions in the Bill relating to automated decision making. Under current law, fully autonomous decision making is prohibited where it relates to a significant decision, but the Bill relaxes those requirements and ultimately puts the burden on a consumer to successfully bring a complaint against a company taking a decision about them in a wholly automated way. Will an individual consumer really do that when it could take up to 20 months? In the world we live in today, the likes of Chat GPT and other large language models will revolutionise customer service processes. The approach in the Bill seems to fail in regulating for the future and, unfortunately, deals with the past. I ask again: which stakeholder group asked the Government to draft the law in this complex and convoluted way? It certainly was not consumers.
In other regulated sectors and areas of law, such as consumer law, we allow representative bodies to bring what the Americans call “class actions” on behalf of groups of consumers whose rights have been infringed. That process is perfectly normal and exists in UK law today. Experience shows that representative bodies such as Citizens Advice and Which? do not bring class actions easily because it is too financially risky. They therefore bring an action only when there is a clear and significant breach. So why have Ministers not allowed for those powers to exist for breaches of data protection law in the same way that the European Union has, when we are very used to them existing in UK law? Again, that feels like another win for big tech and a loss for consumers. Reducing unnecessary compliance burdens on business is of course welcome, but the Government seem to have forgotten that data protection law is based on a foundation of protecting the consumer, not being helpful to business.
On a different subject, I highlight once again the ongoing creep of powers being taken from Parliament and given to the Executive. We have already heard about the powers for the Secretary of State to make amendments to the legislation without following a full parliamentary process. That keeps happening—not just in this Bill but in other Bills this Session, including the Online Safety Bill. My Committee, which has whole-of-Government scrutiny powers in relation to good regulation, has reprimanded the Department—albeit in its previous form—for the use of those Henry VIII powers. It is disappointing to see them in use again.
The Minister, in response to my hon. Friend the Member for Weaver Vale (Mike Amesbury), said that the Government had enhanced oversight of the Information Commissioner by giving themselves power to direct some of its legitimate interests or decisions, or the content of codes. I politely point out that the Information Commissioner regulates the Government’s use of our data. It seems odd to me that the Government alone are being given enhanced powers to scrutinise the Information Commissioner, and that Parliament has not been given additional oversight; that ought to be included.
The Government have yet to introduce any substantive legislation on biometrics. Biometric data is the most personal type of data, be it about our faces, our fingerprints, our voices or other characteristics that are personal to our bodies. The Bill does not even attempt to bring forward biometric-specific regulation. My private Member’s Bill in the 2019-21 Session—now the Forensic Science Regulator Act 2021—originally contained provisions for a biometrics strategy and associated regulations. At the then Minister’s insistence, I removed those provisions, having been told that the Government were drafting a more wide-ranging biometrics Bill, which we have not seen. That is especially important in the light of the Government’s artificial intelligence White Paper, as lots of AI is driven by biometric data. We have had some debate on the AI White Paper, but it warrants a whole debate, and I hope to secure a Westminster Hall debate on it soon. We need to fully understand the context of the AI White Paper as the Bill progresses through Committee and goes to the other place.
I am conscious that I have had an unusual amount of time, so I will finish by flagging two points, which I hope that the Parliamentary Under-Secretary of State for Science, Innovation and Technology will respond to in his summing-up. The first is the age-appropriate design code. I think that we all agree in this House that children should have more protection online than other users. The age-appropriate design code, which we all welcomed, is based on the foundation of GDPR. There are concerns that the changes in the Bill, including to the rights of the Secretary of State, could undermine the age-appropriate design code. I invite the Minister to reassure us, when he gets to the Dispatch Box, that the Government are absolutely committed to the current form of the age-appropriate design code, despite the changes in the Bill.
The last thing I invite the Minister to comment on is data portability. It will drive competition if companies are forced to allow us to download our data in a way that allows us to upload it to another provider. Say I wanted to move from Twitter to Mastodon; what if I could download my data from Twitter, and upload it to Mastodon? At the moment, none of the companies really allow that, although that was supposed to happen under GDPR. The result is that monopolies maintain their status and competitors struggle to get new customers. Why did the Government not bring forward provision for improved data portability in the Bill? To draw on a thread of my speech, I fear that it may be because that is not in the interests of big tech, though it is in the interests of consumers.
I doubt that I will be on the Bill Committee. I am sorry that I will not be there with colleagues who seem to have already announced that they will be on it, but I am sure that they will all consider the issues that I have raised.