WhatsApp Data Breach

Debate between Darren Jones and Margot James
Wednesday 15th May 2019

(5 years, 6 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Urgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.

Each Urgent Question requires a Government Minister to give a response on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Margot James Portrait Margot James
- Hansard - - - Excerpts

I am grateful to my hon. Friend for reminding the House of the significant powers that the ICO now has. Of course, the powers are there to enforce and protect the privacy of UK users. It remains to be seen whether UK users have been affected by this breach but, if they have, I am sure the ICO will make further inquiries.

Darren Jones Portrait Darren Jones (Bristol North West) (Lab)
- Hansard - -

I declare my interest, as set out in the Register of Members’ Financial Interests.

I am sure the Minister will want to encourage the increasing number of her colleagues who have their own budding leadership WhatsApp groups to update their app. My hon. Friend the Member for West Bromwich East (Tom Watson) made an important point that this is not only about encryption but about the connection between devices and the transition from the old copper cables to the VoIP system of broadband connectivity. This is a question for Ofcom, not the ICO, so what conversations is the Minister having with Ofcom about the security standards for connections over the internet-based communications network?

Margot James Portrait Margot James
- Hansard - - - Excerpts

I thank the hon. Gentleman for quite rightly raising the role of Ofcom. I have regular meetings with the chief executive of Ofcom, and I will certainly raise the matter the hon. Gentleman has raised with me at my next meeting with her.

Data Protection Bill [ Lords ] (Seventh sitting)

Debate between Darren Jones and Margot James
Thursday 22nd March 2018

(6 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Darren Jones Portrait Darren Jones
- Hansard - -

Then you agree with hon. Members on both sides of the Committee, Mr Streeter. Of course we do, but as we have seen this week with the Cambridge Analytica scandal, rules must be set, and there must be a balance between allowing innovation to flourish and people’s rights not to be harmed in the process.

Margot James Portrait Margot James
- Hansard - - - Excerpts

Quite. That is the basis of the Bill.

Darren Jones Portrait Darren Jones
- Hansard - -

I agree—that is why I welcome the Bill. I am saying that we ought to go further, which is why I support the new schedule, and having conversations about ownership.

Returning to the issue of health data, I have personal views about how we might tax revenues from platforms in a better way. I welcome the comments made by the Chancellor of the Exchequer, in line with his counterparts in Europe, about looking at how we tax revenues where they are made, not where the company is headquartered. That is a positive move, but surely if all this NHS data is creating profits for other companies and organisations, we can create a situation in which patients also benefit from that, by sharing in the profits that are made and by seeing value redirected into the health service.

All that becomes anchored in the question of ownership. There is still this legal space that says that data subjects do not own their own data. We need a much broader debate on that. [Interruption.] Members are shaking their heads. I am happy to take interventions, if Members would like.

Data Protection Bill [ Lords ] (Eighth sitting)

Debate between Darren Jones and Margot James
Thursday 22nd March 2018

(6 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Darren Jones Portrait Darren Jones
- Hansard - -

I beg to move, That the clause be read a Second time.

New clause 17 is in my name and that of my right hon. Friend the Member for Birmingham, Hodge Hill. I do not take it personally that my other hon. Friends have not signed up to it; that was probably my fault for not asking them to do so in advance.

The new clause would bring a statutory footing to the data and artificial intelligence ethics unit, which I am very pleased that the Government have now funded and established, through the spring statement, in the Minister’s Department. It comes off the back of conversations with the Information Commissioner in Select Committee about the differing roles of enforcing legislation and of having a public debate about what is right and wrong and what the boundaries are in this ever-changing space. The commissioner was very clear that we need to have that debate with the public, but that it is not for her to do it. The ICO is an enforcer of legislation. The commissioner has a lot on her plate and is challenged by her own resource as it is. She felt that the new unit in the Department would be a good place to have the debate about technology ethics, and I support that assertion.

With no disrespect to any colleagues, I do not think that the House of Commons, and perhaps even the Select Committees to a certain extent, necessarily has the time, energy or resource to get into the real detail of some of the technology ethics questions, nor to take them out to the public, who are the people we need to be having the debate with.

The new clause would therefore establish in law that monitoring, understanding and public debate obligation that I, the ICO and others agree ought to exist in the new data ethics unit, but make it clear that enforcement was reserved for the Information Commissioner. I tabled the new clause because, although I welcome the Government’s commitment to the data and AI ethics unit, I feel that there is potential for drift. The new clause would therefore put an anchor in the technology ethics requirement of the unit so that it understands and communicates the ethical issues and does not necessarily get sidetracked into other issues, although it may seek to do that on top of this anchor. However, I think this anchor needs to be placed.

Also, I recognise that the Minister and the Secretary of State supported the recommendation made previously under the Cameron Government and I welcome that, but of course, with an advisory group within the Department, it may be a future Minister’s whim that they no longer wish to be advised on these issues, or it may be the whim of the Treasury—with, potentially, budget cuts—that it no longer wishes to fund the people doing the work. I think that that is not good enough and that putting this provision in the Bill would give some security to the unit for the future.

I will refer to some of the comments made about the centre for data ethics and innovation, which I have been calling the data and AI ethics unit. When it was first discussed, in the autumn Budget of November 2017, the Chancellor of the Exchequer said that the unit would be established

“to enable and ensure safe, ethical and ground-breaking innovation in AI and data-driven technologies. This world-first advisory body will work with government, regulators and industry to lay the foundations for AI adoption”.

Although that is a positive message, it says to me that its job is to lay the foundations for AI adoption. I agree with that as an aim, but it does not mean that at its core is understanding and communicating the ethical challenges that we need to try to understand and legislate for.

I move on to some of the documents from the recruitment advertising for personnel to run the unit from January of this year, which said that the centre will be at the centre of plans to make the UK the best place in the world for AI businesses. Again, that is a positive statement, but one about AI business adoption in this country, not ethical requirements. It also said that the centre would advise on ethical and innovative uses of data-driven tech. Again, that is a positive statement, but I just do not think it is quite at the heart of understanding and communicating and having a debate about the ethics.

My concern is that while all this stuff is very positive, and I agree with the Government that we need to maintain our position as a world leader in artificial intelligence and that it is something we need to be very proud of—especially as we go through the regrettable process of leaving the European Union and the single market, we need to hold on to the strengths we have in the British economy—this week has shown that there is a need for an informed public debate on ethics. As no doubt all members of the Committee have read in my New Statesman article of today, one of the issues we have as the voice of our constituents in Parliament is that in order for our constituents to understand or take a view on what is right or wrong in this quickly developing space, we all need to understand it in the first place—to understand what is happening with our data and in the technology space, to understand what is being done with it and, having understood it, to then to take a view about it. The Cambridge Analytica scandal has been so newsworthy because the majority of people understandably had no idea that all this stuff was happening with their data. How we legislate for and set ethical frameworks must first come from a position of understanding.

That is why the new clause sets out that there should be an independent advisory board. The use of such boards is commonplace across Departments and I hope that would not be a contentious question. Subsection (2) talks about some of the things that that board should do. The Minister will note that the language I have used is quite careful in looking at how the board should monitor developments, monitor the protection of rights and look out for good practice. It does not seek to step on the toes of the Information Commissioner or the powers of the Government, but merely to understand, educate and inform.

The new clause goes on to suggest that the new board would work with the commissioner to put together a code of practice for data controllers. A code of practice with a technology ethics basis is important because it says to every data controller, regardless of what they do or what type of work they do, that we require ethical boundaries to be set and understood in the culture of what we do with big data analytics in this country. In working with the commissioner, this board would add great value to the way that we work with people’s personal data, by setting out that code of practice.

I hope that the new clause adds value to the work that the Minister’s Department is already doing. My hope is that by adding it to the Bill—albeit that current Parliaments cannot of course bind their successors and it could be legislated away in the future—it gives a solid grounding to the concept that we take technology ethical issues seriously, that we seek to understand them properly, not as politicians or as busy civil servants, but as experts who can be out with our stakeholders understanding the public policy consequences, and that we seek to have a proper debate with the public, working with enforcers such as the ICO to set, in this wild west, the boundaries of what is and is not acceptable. I commend the new clause to the Committee and hope that the Government will support it.

Margot James Portrait Margot James
- Hansard - - - Excerpts

I thank the hon. Gentleman for raising this very important subject. He is absolutely right. Data analytics have the potential to transform whole sectors of society and the economy—law enforcement and healthcare to name but some. I agree with him that a public debate around the issues is required, and that is one of the reasons why the Government are creating the centre for data ethics and innovation, which he mentioned. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and AI are governed, as well as supporting the innovative and ethical use of that data.

Data Protection Bill [Lords] (Sixth sitting)

Debate between Darren Jones and Margot James
Tuesday 20th March 2018

(6 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Margot James Portrait Margot James
- Hansard - - - Excerpts

I will have to write to the hon. Lady on that. I do not think it would provide cover for insurance companies in those circumstances, but I would like to double-check before I give a definitive answer to her question.

Question put and agreed to.

Clause 171 accordingly ordered to stand part of the Bill.

Clauses 172 to 176 ordered to stand part of the Bill.



Clause 177

Jurisdiction

Darren Jones Portrait Darren Jones (Bristol North West) (Lab)
- Hansard - -

I beg to move amendment 151, in clause 177, page 102, line 13, at end insert—

“(4) Notwithstanding any provision in section 6 of the European Union (Withdrawal) Act 2018, a court or tribunal shall have regard to decisions made by the European Court after exit day so far as they relate to any provision under this Act.”.

For fear of sounding like a broken record, my arguments in favour of the amendment are broadly similar to those for amendment 152—in seeking to assist the Government in our shared aim of getting a decision of adequacy with the European Commission, it would be helpful to set out in the Bill our commitment to tracking and implementing European jurisprudence in the area of data protection. Members will remember that amendment 152 dealt with the European data protection board. Amendment 151 makes the same argument, but in respect of the European Court.

I appreciate that there may be some political challenges in stating the aim that the UK will mirror the European Court’s jurisdiction, but the reality is that developing European data protection law, either directly from the courts or through the European data protection board, will in essence come from the application of European law at the European Court of Justice. The amendment does not seek to cause political problems for the Government, but merely says that we ought to have regard to European case law in UK courts, in order to provide the obligation to our learned friends in the judiciary to have regard to European legal decision making and debates in applying European-derived law in the United Kingdom. This short amendment seeks merely to put that into the Bill, to assist the Government in their negotiations on adequacy with the European Commission.

--- Later in debate ---
Margot James Portrait Margot James
- Hansard - - - Excerpts

Courts will be allowed to follow the jurisprudence of the ECJ in this area of data protection. Nothing I am saying is prompting a departure from that position. We see the amendment as going further than we would like to go. By contrast, the Government’s proposed approach to CJEU oversight respects the referendum result and is clear, consistent and achievable.

Darren Jones Portrait Darren Jones
- Hansard - -

The Minister gave a full answer, largely in agreement with the points I made.

Margot James Portrait Margot James
- Hansard - - - Excerpts

Not much; not with those.

Darren Jones Portrait Darren Jones
- Hansard - -

I agree. I would therefore invite the Government to reconsider their position and support the amendment, because it reflects what is in the EU (Withdrawal) Bill, it talks about having regard to ECJ jurisprudence in future and, as the Minister pointed out, Government policy and the Government’s intention are that we are going to end up in that position anyway. By putting that in the Bill, we would put it into law and give a very clear signal to our colleagues in the European Union that that is our intention and we will stand by it.

The Minister’s arguments do not seem to stack up. If I were saying in the amendment that we must apply ECJ case law directly and that the UK courts had no power to disregard EU jurisprudence I would probably agree, but that is not what it seeks to do. I am not convinced it goes beyond the Government’s policy position nor what is said in the EU (Withdrawal) Bill. I merely seek to help the Government by making this simple amendment to the Bill. With your permission, Mr Streeter, I will push it to a vote.

Question put, That the amendment be made.

Data Protection Bill [ Lords ] (Morning sitting)

Debate between Darren Jones and Margot James
Thursday 15th March 2018

(6 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Margot James Portrait Margot James
- Hansard - - - Excerpts

I reassure the hon. Gentleman that divergence, if it occurs, will apply only to the applied GDPR, which is outside the scope of EU law, and therefore may well apply in a similar sense to member states as well as to us, when we become a third country.

Darren Jones Portrait Darren Jones
- Hansard - -

I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.

From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.

The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.

Data Protection Bill [ Lords ] (Third sitting)

Debate between Darren Jones and Margot James
Thursday 15th March 2018

(6 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Margot James Portrait Margot James
- Hansard - - - Excerpts

I reassure the hon. Gentleman that divergence, if it occurs, will apply only to the applied GDPR, which is outside the scope of EU law, and therefore may well apply in a similar sense to member states as well as to us, when we become a third country.

Darren Jones Portrait Darren Jones
- Hansard - -

I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.

From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.

The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.

Data Protection Bill [ Lords ] (Second sitting)

Debate between Darren Jones and Margot James
Tuesday 13th March 2018

(6 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Margot James Portrait Margot James
- Hansard - - - Excerpts

The right hon. Member for Birmingham, Hodge Hill covered a lot of important ground. He mentioned the digital charter. We are bringing forward the digital charter and we do not intend for it to be set in stone. We recognise that this is a fast-changing environment and so it is deliberately something that will evolve over time. We both share the concerns that he expressed with regard to fake news and the rights and protections needed for children and young people who, as he says, make up a third of internet users. We will address many of the things he highlighted as part of our internet safety strategy, and I look forward to debating them further with him on Report.

To add to what we have already discussed under schedule 1, article 9 of the GDPR limits the processing of special categories of data. Those special categories are listed in article 9(1) and include personal data revealing racial or ethnic origin, health, political opinions and religious beliefs. Some of the circumstances in which article 9 says that special category data can be processed have direct effect, but others require the UK to make related provision.

Clause 10 introduces schedule 1 to the Bill, which sets out in detail how the Bill intends to use the derogations in article 9 and the derogation in article 10 relating to criminal convictions data to permit particular processing activities. To ensure that the Bill is future-proof, clause 10 includes a delegated power to update schedule 1 using secondary legislation. Many of the conditions substantively replicate existing processing conditions in the 1998 Act and hon. Members may wish to refer to annexe B to the explanatory notes for a more detailed analysis on that point.

Darren Jones Portrait Darren Jones
- Hansard - -

I want to make one point about schedule 1. Amendment 9, which was made this morning, allows democratic engagement to be a purpose under article 6(1)(e) of the GDPR—namely, that consent is not required for the processing of data for public interest or the exercising of official authority and the purposes of democratic engagement. I wonder whether the definitions of political parties and politicians under schedule 1 could be used to restrict that amendment, so that organisations other than political parties and politicians are not able to process data in the public interest for democratic engagement without consent. For example, if Leave.EU or Open Britain wanted to process our personal data, they ought to do so with consent, not using the same public interest for democratic engagement purposes as politicians or parties.

Margot James Portrait Margot James
- Hansard - - - Excerpts

I understand the hon. Gentleman’s concerns. The GDPR requires data controls to have a legal basis laid down in law, which can take the form, for example, of a statutory power or duty, or a common-law power. Any organisation that does not have such legal basis would have to rely on one of the other processing conditions in article 6. With regard to the amendment that was agreed to this morning, we think that further restricting clause 8 might risk excluding bodies with a lawful basis for processing. However, the hon. Gentleman is free to raise the issue again on Report.

Question put and agreed to.

Schedule 1, as amended, accordingly agreed to.

Clauses 11 to 13 ordered to stand part of the Bill.

Clause 14

Automated decision-making authorised by law: safeguards

Data Protection Bill [ Lords ] (First sitting)

Debate between Darren Jones and Margot James
Tuesday 13th March 2018

(6 years, 8 months ago)

Public Bill Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Darren Jones Portrait Darren Jones
- Hansard - -

Of course the hon. Gentleman is right that the article includes principles of data protection, but we are trying to make the Government’s job in seeking the decision on adequacy with the European Union as easy as possible. This seems an easy way to facilitate that. Clearly, there is a dereliction of fundamental rights through not copying and pasting this across into UK law. Although there are data protection principles under the European convention on human rights, article 8 states:

“Everyone has the right to respect for his private and family life, his home and his correspondence.”

That does not sound very modern or digital to me. Although rights flow from that, the charter rights on communications—specifically electronic communications— seem much more fit for the future. I welcome the Secretary of State’s comments that the Bill seeks to make our country fit for the future. Let us rely not on a world of manual correspondence, but on one of electronic communications.

The new clause is not ideological; it does not seek to rebalance power between business controllers and individual citizens. It merely seeks to replicate what is in law today: a basic and fundamental human right that seems to me and to others to be perfectly sensible. Only yesterday, I was in Brussels with the European Scrutiny Committee, meeting Mr Barnier. He talked positively about wanting to get agreement on data adequacy, given its importance—not least because 11% of global data flows come to the UK, 70% of which are with the EU. It would be a disaster for this country if we did not have adequacy, so let us make our job easier to effect that shared aim across the Floor of the Committee and with our counterparts in Europe of seeking a decision on adequacy. Let us put this new clause into the Bill, so that we maintain the position that our data subjects have today: a fundamental right, which is in the European charter of fundamental rights, and in the future will be in this Bill.

Margot James Portrait Margot James
- Hansard - - - Excerpts

I thank speakers for their thoughtful contributions. I share many of their concerns, as do the Government, particularly with regard to adequacy, which I will talk about in more detail. I think we are all agreed that after Britain leaves the European Union we must be able to negotiate an adequacy agreement for the free flow of data between us and the EU. That is absolutely essential.

First, the GDPR implements the right to data protection and more. It is limited in scope, but the Bill also implements data protection rights on four areas beyond GDPR. It applies GDPR standards to personal data beyond EU competence, such as personal data processed for consular purposes or national security. Secondly, the Bill applies the standards to non-computerised and unstructured records held by public authorities that the GDPR ignores. Thirdly, the Bill regulates data processed for law enforcement purposes. Fourthly, it covers data processed by the intelligence services.

There is no doubt in our minds that we have fully implemented the right to data protection in our law and gone further. Clause 2 is designed to provide additional reassurance. Not only will that be clear in the substance of the legislation, but it is on the face of the Bill. The Bill exists to protect individuals with regard to the processing of all personal data. I think this is common ground. We share Opposition Members’ concern for the protection of personal data. It must be processed lawfully, individuals have rights, and the Information Commissioner will enforce them.

New clause 12 creates a new and free-standing right, which is the source of our concern. Subsection (1) is not framed in the context of the Bill. It is a wider right, not constrained by the context of EU law. However, the main problem is that it is not necessary. It is not that we disagree with the thinking behind it, but it is not necessary and might have unforeseen consequences, which I will come to.

Article 6 of the treaty on European Union makes it clear that due regard must be had to the explanations of the charter when interpreting and applying the European charter of fundamental rights. The explanations to article 8 of the charter confirm that the right to data protection is based on the right to respect for private life in article 8 of the ECHR. The European Court of Human Rights has confirmed that article 8 of the ECHR encompasses personal data protection. The Government have absolutely no plans to withdraw from the European Court of Human Rights.

The new right in new clause 12 would create confusion if it had to be interpreted by a court. For rights set out in the Human Rights Act, there is a framework within which to operate. The Human Rights Act sets out the effect of a finding incompatible with rights. However, new clause 12 says nothing about the consequences of potential incompatibility with this new right to the protection of personal data.

--- Later in debate ---
Margot James Portrait Margot James
- Hansard - - - Excerpts

That brings me on to my other point: not only does this roll-over, as the right hon. Gentleman puts it, threaten to create confusion and undermine other rights, but it is unnecessary. The charter of fundamental rights merely catalogues rights that already exist in EU law; it is not the source of those rights. The rights, including to data protection, which is, importantly, what we are here to debate, arise from treaties, EU legislation and case law. They do not arise from the European charter of fundamental rights, so we argue that the new clause is completely unnecessary.

Darren Jones Portrait Darren Jones
- Hansard - -

The right exists in its own right in the European charter of fundamental rights. That is why European Courts refer to it when making decisions. If the Courts did not think that it was an established right in itself, they would refer to the other sources of legislation that the Minister mentioned. It therefore must, as a matter of logic, be a legal right that is fundamental; otherwise, the Courts would not refer to it.

On the Minister’s original comments about the consequences of the new clause, I think they are clear in the drafting. Subsection (2), as my right hon. Friend the Member for Birmingham, Hodge Hill said, states that processing personal data must comply with GDPR and the derogations in the Bill, and the consequences of subsection (3) are that the Information Commissioner should ensure compliance. In ensuring compliance, the commissioner will look to GDPR and the Bill to understand the consequences of a breach of a fundamental right that already exists.

Margot James Portrait Margot James
- Hansard - - - Excerpts

The source of the rights that we are discussing are EU legislation and case law. Those rights will be protected in UK domestic law after we leave the European Union by the European Union (Withdrawal) Bill. We have fully protected the right to data protection in our law. We have considered new clause 12 carefully, and it creates a new right. As I said, the arguments are well rehearsed, which is why we created clause 2 with the agreement of the Opposition spokespeople in the House of Lords.

The Government are determined to ensure the future free flow of data when we leave the European Union. We have heard much about the importance of, and the need for, an adequacy agreement, and I agree with everybody who has spoken on that. The general consensus is that, to achieve that, we need to faithfully implement the GDPR, and avoid the courts finding parts of the GDPR potentially incompatible with a new right. If that happened, rather than enabling the free flow of data, we would risk undermining it.

Twelve countries have negotiated adequacy arrangements with the European Union, including Canada, Israel, Uruguay, New Zealand and the United States. None of those countries was obliged by the EU Commission to put the charter of fundamental rights into their law, so I think Members can rest assured that the new clause is entirely unnecessary to achieve adequacy on our departure.

--- Later in debate ---
Margot James Portrait Margot James
- Hansard - - - Excerpts

I do not agree with the hon. Gentleman. I share his concern that we need to negotiate an adequacy agreement effectively; I am at one with him on that matter. For the reasons I have outlined, I do not believe that, if our clause is passed unamended, it will undermine that right when we come to negotiate an agreement. He made the point that those other countries are in a different position. They are already third countries in relation to us, and will be so when we leave. We will become a third country when we leave the European Union. I accept that the situation is different, but it puts us at an advantage. We are incorporating the GDPR in its entirety into UK legislation, and I assure the hon. Gentleman that we have that safeguard.

Future free flow of data is absolutely at the top of our agenda for the forthcoming EU negotiations. As I said earlier, my right hon. Friend the Prime Minister made that clear in her Mansion House speech two weeks ago. We want to secure an agreement with the EU that provides stability and confidence for EU and UK businesses and individuals, and ensures we achieve our aims of maintaining and developing the UK’s strong trading and economic links with the European Union.

Ultimately, as some Opposition Members said, importing text from the EU charter of fundamental rights is unnecessary. The general principles of EU law will be retained when we leave the EU via the European Union (Withdrawal) Bill for the purposes of the interpretation of the retained EU law. The GDPR will be retained. Indeed, the Bill will firmly entrench it in our law. The right to the protection of personal information is a general principle of EU law, and has been recognised as such since the 1960s. The withdrawal Bill requires our courts to interpret the GDPR consistently with the general principle reflected in article 8 and retained CJEU case law, so far as it is possible to do so.

Darren Jones Portrait Darren Jones
- Hansard - -

Does the Minister recognise that, under the European Union (Withdrawal) Bill, the application of the EU acquis—EU law—is based on legislation that existed before the point of exit? It will not continue to apply to new legislation and developments after the point of exit. The new clause needs to be in the Bill to maintain that position for the future; we must not just look back into the past.

Margot James Portrait Margot James
- Hansard - - - Excerpts

The European Union (Withdrawal) Bill fully protects the rights to data protection in our law. As I said earlier, we are seeking not only adequacy after Brexit, but a continuing role in conjunction with the bodies in Europe that govern the GDPR, with the idea that we continue to contribute our expertise and benefit from theirs.

Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

I am afraid we have heard a very weak argument against new clause 12. The Minister sought to prosecute two lines of argument: first, that new clause 12 risks confusion in the courts; and, secondly, that it is not needed. Let me take each in turn.

First, there can be no risk of confusion because this is not a new right. It is a right we already enjoy today, and our courts are well practised in balancing it with the other rights we enjoy. We are simply seeking to roll over the status quo into the future to put beyond doubt an adequacy agreement not just in the immediate years after we leave the European Union but in the decades that will follow.

Secondly, the Minister sought to persuade us that the new clause was not needed, and she had a couple of different lines of attack. First, she said that the source of our new protections would be the incorporation of EU case law and legislation as enshrined by the European Union (Withdrawal) Bill. Of course, that is simply not applicable to this case, because the one significant part of European legislation that the withdrawal Bill explicitly does not incorporate is the European charter of fundamental rights. The Minister slightly gave the game away when she read out the line in her briefing note that said that the rights we currently have in EU law would be enshrined and protected “so far as it is possible to do so.” That is exactly the kind of risk we are seeking to guard against.

As noble peers argued in the other place, the challenge with incorporating the GDPR into British law is that this is a piece of regulation and legislation that reflects the world of technology as it is today. It is not the first bit of data protection legislation and it will not be the last. At some point in the years to come, there will be a successor piece of legislation to this Bill and the courts’ challenge will be to make judgments that interpret an increasingly outmoded and outdated piece of legislation. We have to ensure that judgments made in the British courts and in the European courts remain in lockstep. If we lose that lockstep, we will jeopardise the future of an adequacy agreement. That will be bad for Britain, bad for British businesses and bad for technology jobs in all our constituencies.

The challenge we have with regulating in this particular field is that sometimes we have to be anticipatory in the way we structure regulations. Anyone who has spent any time with the British FinTech industry, which Ministers are keen to try and enhance, grow and develop for the years to come, will know that FinTech providers need to be able to test and reform bits of regulation in conjunction not only with the Information Commissioner but with other regulators such as the Financial Conduct Authority. For those regulators to be able to guarantee a degree of regulatory certainty, sometimes they will need to look beyond the letter of a particular piece of legislation, such as the Data Protection Bill when it becomes an Act, and reflect on the spirit of that legislation. The spirit is captured best by fundamental rights. The challenge we have is in the thousands of decisions that our regulators must take in the future. How do we put beyond doubt or dispute the preservation of regulatory lockstep with our single most important market next door?

The Uruguayan defence offered by the Minister will reassure few people. We should not be aspiring to the Uruguayan regime; we should be aspiring to something much deeper, more substantive and more harmonious. The Minister’s proposal will create a field day for lawyers. We all like lawyers; some of our Committee members are former lawyers—recovering lawyers in some cases. Lawyers should enjoy a profitable and successful future, but we in this House do not necessarily need to maximise their profit-making possibilities in the future. However, that is exactly what the Minister is doing by creating a pot pourri of legislation, which lawyers and judges will have to pick their way through. It is much simpler, much lower-risk, much safer and better for economic growth if we put beyond doubt, dispute and question the harmonisation of our data protection regime with our single most important market. That is why we need to incorporate article 8.

--- Later in debate ---
Margot James Portrait Margot James
- Hansard - - - Excerpts

I support the general tone of the right hon. Gentleman’s comments. I too was pleased to see the interview with the Secretary of State, his focus on the addictive nature of some of these apps and the idea that there could be within the technology a means of limiting the time children spend on them, which parents could click on. The Information Commissioner’s Office will publish guidance shortly on how clause 9 will work and what those safeguards will be. She will take into consideration an age-appropriate design, as suggested by Baroness Kidron.

Overall, where online services referred to in the Bill as “information society services” choose to rely on consent as the basis for their processing, article 8 of the GDPR sets the age below which a website must obtain the parents’ and not the child’s consent. Most websites will be captured by this additional safeguard, ranging from online banking to search engines to social media, with social media probably being the most relevant to the age group in question.

The GDPR gives member states the flexibility to set this age within a prescribed range of between 13 and 16. The Bill sets it at 13, with an exception for preventive and counselling services, for which the test is based purely on the child’s capacity to understand what they are being asked to consent to. The Government are satisfied that the Information Commissioner’s Office has adequate enforcement powers, including large fines for any offences committed in this area.

Darren Jones Portrait Darren Jones
- Hansard - -

The Minister said that Europe provides that the age range is between 13 and 16. In fact, the GDPR says the age for consent is 16, but that member states can derogate down to 13. I do not wish to be an annoying lawyer, but it is an important distinction. Our colleagues in Europe are saying that the age they deem to be appropriate is 16, but they are giving member states flexibility to go lower. Interestingly, article 8(2) talks about how reasonable efforts need to be taken to verify age and consent

“taking into consideration available technology.”

My view is that, on these types of issues, there should be better technology for age verification as part of using online services and, where children’s data is being used to commercialise and monetise for the purposes of advertising, there should be additional safeguards for children.

I ask the Minister only to keep an open mind in the future, so that when we get to a position where technology providers can verify the age of children—I appreciate that is perhaps currently a little difficult—if industry does not move voluntarily to this position, the Government consider regulating in that regard.

Margot James Portrait Margot James
- Hansard - - - Excerpts

The hon. Gentleman is right that the GDPR stipulates 16 as the minimum age for consenting to data processing without parental consent, but that it provides for member states to derogate from that. At least seven, including Spain, Ireland and Denmark, have done just that. Like us, they have proposed a much younger age of 13, so we are not an outlier on the issue.

Currently, the minimum age in this country for allowing personal data to be used without parental consent is 12, so in a sense we are derogating from that policy by setting the minimum age at 13 in the Bill. The hon. Gentleman is right to point out that it is very difficult for technology companies to implement meaningful verification mechanisms for those younger than 18, who may not have anything like a credit card or driving licence. I have no doubt that the Government will keep an open mind on the matter, in line with other developments that will take place long after the Bill is passed.

Question put and agreed to.

Clause 9 accordingly ordered to stand part of the Bill.

Clause 10

Special categories of personal data and criminal convictions etc data

--- Later in debate ---
Margot James Portrait Margot James
- Hansard - - - Excerpts

It does happen. That is not a new provision, but one that was imported from the current law. Unfortunately, some crucial words were accidentally lost in the process of importing it. The amendment reinstates them.

Schedule 1 sets out UK domestic legislation to allow the processing of particularly sensitive data in certain circumstances. The Government’s view is that the processing of such data must be undertaken with adequate and appropriate safeguards to ensure that individuals’ most sensitive data is appropriately protected. One of those safeguards is the new requirement for an appropriate policy document to be maintained in most circumstances when special categories of data and criminal convictions data are processed. That is set out in paragraph 5 and part 4 of the schedule.

Since the Bill’s introduction, we have reflected on whether there are cases where the requirement to hold an appropriate policy document is so disproportionate that, rather than improving protections, it effectively prevents the necessary processing from taking place. Amendments 79, 82 and 90 remove the requirement for a controller to have an appropriate policy document where processing involves the disclosure of special category data to a competent authority for the detection or prevention of an unlawful act, the disclosure of special category data for specific purposes in connection with journalism, or the disclosure of special category data to an anti-doping authority. Amendment 80 defines what is meant by “competent authority”. The aim of those amendments is to avoid a scenario in which an individual who never normally processes data under schedule 1 wishes to report a crime, report something of public interest to the media or report doping activities in sport and, in so doing, processes special categories of data and would have to have in place an appropriate policy document.

Amendment 76 reflects that change to the requirement to have an appropriate policy document by inserting the words, “Except as otherwise provided” in paragraph 5 of the schedule. Amendments 87 and 89 make it clear that, in the context of schedule 1, “withholding consent” means doing something purposeful, not just neglecting to reply to a letter from the data controller. That avoids a world in which data controllers have an incentive not to bother requesting consent in the first place.

Paragraph 31 of the schedule requires the controller to have an appropriate policy document in place when relying on a processing condition in part 2 of the schedule to process criminal convictions data. However, all the provisions in part 2 are subject to the policy document requirement except where noted, so there is no reason to state it again in paragraph 31. Amendment 91 removes that duplicate requirement. It is simply a tidying-up amendment to improve the coherence of the Bill.

Darren Jones Portrait Darren Jones
- Hansard - -

On a point of order, Mr Hanson. I think I was remiss in not declaring my interest at the start of my contributions to today’s proceedings. With your permission, I seek to rectify that.