Data Protection Bill [ Lords ] (Third sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Darren Jones
Main Page: Darren Jones (Labour - Bristol North West)Department Debates - View all Darren Jones's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [ Lords ] (Third sitting)
Darren Jones Excerpts(6 years, 1 month ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Darren Jones (Bristol North West) (Lab)
I beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—
“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.
2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”
It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.
Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.
I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.
I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.
Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake
“a periodic review, at least every four years”
to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.
As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek
“mechanisms to facilitate the effective enforcement of legislation”.
This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must
“have regard to”
various things that happen at European Union level, including
“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.
The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.
Liam Byrne (Birmingham, Hodge Hill) (Lab)
This is a wise and carefully crafted amendment. Does my hon. Friend agree that it is especially needed because the Government have rather unwisely decided not to incorporate article 8 into British law, which means there is a risk of courts in Europe and Britain interpreting data protection regimes differently, leading to divergence in future?
Darren Jones
I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.
This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.
The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would
“incorporate, with any modifications which he or she”—
that is the Information Commissioner—
“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.
There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.
I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.
Liam Byrne
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
Margot James
I reassure the hon. Gentleman that divergence, if it occurs, will apply only to the applied GDPR, which is outside the scope of EU law, and therefore may well apply in a similar sense to member states as well as to us, when we become a third country.
Darren Jones
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
Liam Byrne
The Minister seemed to rest her argument on the need to preserve the Information Commissioner’s discretion, which implies that she is trying to protect the commissioner’s ability to go her own way. That will not help us to secure, lock down or nail to the floor an adequacy agreement in years to come. It will put an adequacy agreement at risk.
Darren Jones
My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.
The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.
Daniel Zeichner
Could the Bill not also put the Information Commissioner in an extraordinarily difficult position? Decisions that she may make in the future could have huge political consequences. I would be surprised if she wanted to take that on.
Darren Jones
I agree with my hon. Friend. The reality may be that under the wording in the Bill, the Information Commissioner has no choice but to apply and incorporate the European data protection board’s decisions if it is to keep up and maintain adequacy.
That is why the amendment is not something to worry about. It seeks to do what will probably happen in practice, but it puts our commitment to that relationship in the Bill. When we say to Europe that, uniquely, unlike any other third country and despite not being a member of the European Union, we want to have a position of influence on the EDPB, we can also say that we recognise that no one else has that level of influence, but in seeking to have it, we have made commitments to that future relationship in UK legislation.
I do not think any other Members here are members of the European Scrutiny Committee, but I spent the whole of yesterday afternoon losing votes on amendments to a report, and I rather enjoyed myself, so I will press this amendment to a vote.
Question put, That the amendment be made.
Brendan O'Hara (Argyll and Bute) (SNP)
It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter.
I support amendment 154. We strongly recommend that if the Government are, as they claim to be, serious about providing the best possible data protection regime to achieve the gold standard that they often talk about for UK citizens, they should look again at the issue of collective redress and make provision for suitably qualified non-profit organisations to pursue data protection infringements and breaches of their own accord, as provided for by the GDPR.
The right hon. Member for Birmingham, Hodge Hill rightly said that the amendments would allow representative bodies to bring such cases, but would also allow individuals to opt out. Currently there is not a level playing field. If the Bill is not amended, the already uneven playing field will become impossibly uneven for individuals whose rights are breached or infringed—probably by a tech giant.
Collective redress was one of the most controversial and hotly debated issues when the Bill was in the House of Lords. The Government resisted all attempts to change it there. There have been slight amendments since then, and an understanding has been reached, but I feel that what the Government propose does not go nearly far enough to address the concerns expressed by Scottish National party and Labour Members.
Anna Fielder, a former chair of Privacy International, wrote:
“Weak enforcement provisions were one of the widely acknowledged reasons why the current data protection laws, in the UK and elsewhere in Europe, were no longer fit for purpose in the big data age. As a result, it has been more convenient for organisations collecting and processing personal information to break the law and pay up if found out, than to observe the law — as profits made from people’s personal information vastly outweighed even the most punitive of fines.”
That is the situation we are in, and it is incumbent on legislators to level the playing field—not to make it even more uneven. However, as the Bill currently stands, it only enables individuals to request that such suitably qualified non-profit organisations take up cases on their behalf, rather than allowing the organisations themselves to highlight where they believe a breach of data protection law has occurred.
All too often, as has been pointed out on numerous occasions, individuals are the last people to know that their data has been unlawfully and in many cases illegally used. They depend on suitably qualified non-profit organisations, which are there to conduct independent research and investigations, to inform them that that is the case. Indeed, there was a very striking example recently in Germany, where the consumer federation took one of the tech giants to court over a number of platform breaches of current German data protection law, and it won. However, there are numerous examples across the world of organisations and groups highlighting bad or illegal practices that would hitherto probably have gone unnoticed here.
Privacy International recently published a report on the use and possible abuse of personal data connected to the rental car market. Which? has carried out research on online toys that are widely available in this country, which could pose serious child safety risks. The Norwegian consumer council has done similar work on toys, as well as exposing unlawful practices by health and dating apps.
Across the world, there are groups that do collective redress work very successfully in Belgium, Italy, Portugal, Spain, Sweden, Canada and Australia. I urge the Government to reconsider the matter and to see the great consumer benefits and protections that would come from accepting amendment 154. It would give not-for-profit organisations the right to launch complaints with a supervisory authority, as well as seeking judicial remedy, when it considered that the rights of a data subject under the GDPR had been breached.
I repeat that at the moment we have an uneven playing field. If the Bill goes through unamended it will become an impossible playing field for consumers, so I urge the Government to accept the amendment.
Darren Jones
I promise not to speak at every opportunity today, Mr Streeter; I am conscious that it is a Thursday and that Members have constituencies to get to, but on this point I will just add my support to the amendment tabled by my right hon. Friend the Member for Birmingham, Hodge Hill.
The Bill puts us in a position that we should not have been in in the first place. The Government’s original view was that they were not going to implement article 80 of the GDPR; they have now gone one step in that direction, and I support the aim that we go the whole hog.
I recognise from my work previous to being an MP that a lot of tech companies are not evil; they want to do the right thing and go about being successful as businesses. It was partly my job in the past to look at these areas of law on behalf of companies, and to work with campaigning groups, regulators and others. It was about being an internal voice to make sure that there was the correct balance within businesses between considering consumers and being pro-business. This amendment would help to facilitate that conversation, because if bodies such as Which? that are private enforcers on behalf of consumers had these legal rights, then of course there would be an obligation on businesses to have ongoing dialogue and relationships. They would have to make sure that consumers’ concerns were at the forefront and that they were doing things in the right way.
The balance to be struck is really important. The Information Commissioner’s Office, for example, has lost quite a lot of staff to other companies recently. The Minister’s Department had to increase the salary bands for ICO staff to try to keep them there. In other sectors of the regulated economy, having private enforcers on behalf of consumers as a collective group works perfectly well for existing regulators.
In the telecommunications sector, in which I have worked in the past, there is Ofcom, which regulates the telecom sector, but there is also Which?, working as a private enforcer under the Consumer Rights Act 2015, which can act on behalf of consumers as a group. That works perfectly well and as my right hon. Friend said, private enforcers will not just start bringing these super-complaints every week, because the risk would be too high. They will only bring these super-complaints when they have failed in their dialogue and have no choice.