Ian C. Lucas
Main Page: Ian C. Lucas (Labour - Wrexham)Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
It has been a real privilege to be here this afternoon to listen to the debate, which has certainly been educational for me. I commend the hon. Member for Harlow (Robert Halfon) for taking the opportunity to initiate this debate and I also commend the Backbench Business Committee for choosing this debate for Westminster Hall. We are at the beginning of a very important process and the hon. Gentleman can take great credit for initiating the debate today.
I particularly want to praise the hon. Gentleman for focusing on the invasion of privacy by private organisations. Although there have been many discussions about personal liberty during the past decade in the context of terrorism legislation, as the hon. Member for Cambridge (Dr Huppert) observed, the focus in those discussions was very much on the position of the state. While that debate has been happening we have paid too little attention to the increase in the collection of information by private organisations. It is very important that we are discussing this issue today. We need to be at the beginning of a process that deals very seriously with what is a difficult and complex issue. I think that that complexity is the main reason why it is only now that the general public is waking up to what is already happening in the internet sector.
The contributions from all Members who have spoken have been very valuable. I want to refer to those contributions, as they deserve further discussion, and I hope that we will discuss them as we take the debate further forward. The hon. Member for Cambridge perhaps concentrated more on the state aspect than any other speaker so far. We had many debates before the last general election on the issues related to the state and I think that today we should concentrate on the issues relating to internet privacy and private organisations. We need to focus on that aspect.
We are talking about who owns the body that collects the data, but for me that is rather the wrong way round. Surely the vital question is this—whose property is information about a person when it is transmitted? I ask that question, because surely that is what we mind; the infringement of information about ourselves being collected, whoever is collecting it. So, let us look at the property rights, but can we change things around and focus on the individual and not on the person or the body that collects information about the individual?
That is helpful. We need to consider the position concerning regulation on the issue. I will come to that later in my remarks.
It might be helpful to refer back to the present position as far as I understand it. It is a complex area, so I might get some things wrong. The Data Protection Act 1998 established principles for the retention of personal data, and the Information Commissioner has had a role in supervising those principles generally. The Information Commissioner has been referred to several times. I certainly agree that he needs to push the boundaries of his powers in protecting the individual’s rights, and I do not think that that has happened sufficiently in the past.
In respect of private marketing, the Privacy and Electronic Communications (EC Directive) Regulations 2003 focused on the sending of unsolicited marketing messages by e-mail, and consultation on the further development of regulations in that area is taking place. The history of regulation is a consistent race between technological development and legislation. One example is the Data Retention (EC Directive) Regulations 2009, which included internet activity in the communications data to be retained for a year by communications providers. All those regulations should be viewed against the backcloth of the Human Rights Act 1998 and its attempt to balance privacy and freedom of speech. Recent developments in the common law on privacy add to the mix, making the legal position even more complex.
It has been said in this debate that in some respects, the United Kingdom has been slower to act on such issues. I believe that part of the reason is that the English legal system does not have the same common law right to privacy that many other countries do. For example, France and Germany have laws specifically to protect individuals from invasions of privacy. I think that most people are surprised by the limitations on enforcement of privacy rights within the UK. The tools that exist in common law are very limited.
We have a difficult balancing act when trying to take matters forward. I was the Minister for Business and Regulatory Reform before the general election and, although it may come as a surprise to some Members here, I always adopt the principle that one should regulate as a last resort, only in pursuit of a particular policy end and where other options are not available. My first reaction to proposals to reform the legislative or regulatory framework is to ask whether we can use some form of self-regulation. I think that we all accept that it is a difficult problem that we need to confront. Can we do so through self-regulation within the industry? Self-regulation would have some advantages. The problem is not, of course, confined to the United Kingdom.
I thank the hon. Gentleman for his thoughtful opening remarks. On the voluntary side of things, that is exactly what I argued. I suggested that we should have a code, in the same way that the British Medical Association has a code for doctors, lawyers have a code and so on. That should be the first course of action, rather than the immediate implementation of state action.
We should certainly consider that approach. However, I was going to conclude that I do not think that it will be sufficient; I think that some other Members have also taken that view. Self-regulation in media organisations has not had a happy time recently in the United Kingdom. The Press Complaints Commission comes immediately to mind; it has failed badly in the News of the World inquiry and case. I am suspicious of over-mighty international media organisations. What happened in that context—there was a regulator and a voluntary regulatory system—could certainly recur in the case of an organisation such as Google, for example, about which we have heard a lot in this debate. Google is a powerful, rich and monopolistic organisation. What happens in a self-regulatory system where the powerful, over-mighty subject ignores the regulator?
Does the hon. Gentleman think that the problems that he is describing are endemic in all large organisations that handle large amounts of personal data, whether they are search engines, mobile phone companies or banks? It takes only a certain number of rogue employees to release for personal gain private information to which they are privy. The steps that a company can take to protect itself from that are serious, but also complex.
Indeed. One problem with a Law Society or BMA model, with respect to the hon. Member for Harlow, is that although that would be an appropriate way to proceed for some of the organisations involved in collecting such information—they are responsible professional organisations and would act responsibly—unfortunately, it would not be appropriate for all. Other organisations might take a much more laissez-faire approach—if I dare use that phrase in the presence of so many Conservatives—and would not deal with the issue responsibly. I am concerned that a self-regulatory system might not be as effective as we would like.
Does the hon. Gentleman not agree that there are many different versions of and variations on self-regulation? For example, the Advertising Standards Authority model is completely different from that of the BMA. Surely it is possible to design a model to have the right amount of independence as well as teeth, so that it gets the respect and compliance that we want.
That may be. We are at the beginning of a debate, and I am setting out my personal views at this juncture. When I conclude, I will agree that we need to examine the matter in more detail, but those are my concerns about a self-regulatory framework. With fines, for example, it is difficult to create an effective system that imposes large financial penalties on companies that do not wish to pay them. If the fines involve hundreds of thousands or even millions of pounds, only the force of law will be sufficient to ensure that the necessary action is taken.
I thank the hon. Gentleman for giving way a second time. He is right about fines, but I think that it is possible. I speak from experience, having worked in the advertising industry. An advertiser that breaks the Advertising Standards Authority code may be forced to withdraw an advert that it might have spent hundreds of thousands of pounds making. That is why self-regulation and enforcement of the code are effective in the advertising industry. In the case of the Press Complaints Commission, by contrast, a slap on the wrist or an article in a newspaper is a small price to pay.
That may be the case. We can discuss it as the conversation continues beyond this debate. The hon. Member for Wycombe (Steve Baker), who is no longer in his place—he seems to have disappeared—pointed out a moment ago that information belongs to the individuals who give it in the first place. That is a strong point.
Part of the problem with the issue is that when people use their computers—this certainly applies to me; I am not a geek of the type described by the hon. Member for Cambridge—it does not always occur to them that they are passing on to a third party which books they like or what articles they are interested in. I think that most people are in that position. They concentrate on what they are using the internet for, and it is incidental to them that that information is being secured by a third party. I think that they would be shocked to learn that it was being traded for marketing purposes. The difficulty is that that process is already happening, because people are using the internet and have been for such a long time.
Is what my hon. Friend has just described not simply a corollary? Someone goes along with their credit card to buy a product and the information is known to Experian, which sells that information. Is it not just a case of people transferring their behaviours online? We are talking about the same stuff. We should perhaps not be too afraid of the fact we are behaving the same way on the internet as we would otherwise behave with our credit cards.
I am delighted that my hon. Friend is here; he is absolutely right. I feel slightly uneasy about such marketing—perhaps I am old-fashioned in that regard. What my hon. Friend mentioned is another reason to go wider in dealing with the matter. Rather than simply focusing on the internet, we need to consider how information about individuals is collected and used by third-party organisations. The primary purpose of, for example, a credit card is to buy something, not to give information to a third party. I think that someone said earlier that we need to educate the general public much more about the use of information, what is involved in the use of the internet and what information is being given to third parties. That is extremely important.
It is crucial that we give intense consideration to where we are. We need to consult widely with the industry, the internet service providers, the internet companies and the general public about how we deal with this difficult problem. People need to know much more about the scale of the information they are retaining and why it is being retained. I was slightly surprised by the hon. Member for Harlow talking about the extent of the information that Google has and the fact it has not given it to third parties. Why is it retaining that information, particularly when it seems to be very valuable? The exposition on marketing from the hon. Member for East Hampshire (Damian Hinds) was very useful in that regard. The hon. Member for Bath (Mr Foster) said that the value of the internet is £100 billion in the UK, so we are talking about massive stakes.
What has come out of the debate is that we need to have a very wide discussion and recognise that private organisations must be scrutinised in exactly the same way and to the same extent as governmental organisations. We have got ourselves into a very serious situation. We have heard about different approaches from hon. Members today and, although shades of different views have been expressed this afternoon, there is recognition across the House that we need to get to grips with the issue. We are not talking about a partisan matter in the same way that some civil liberty issues have been partisan in the past decade.
We have made a very good start on dealing with the matter today, but we need to make further progress. The type of commission that the hon. Member for Harlow mentioned would be a good start, but we must ensure that it consults as widely as possible. An important role of that commission should be to publicise to individuals not just in the UK, but across the world the extent of the information concerning them that is being obtained by these very large—in many cases, multinational—companies.
Collectively, we can deal with the issue. It may be that we can do so through some form of self-regulation. That has the advantage of being applicable across the world, if we can get the biggest companies to buy into such a system. If we cannot do that, it will be a very serious matter. The privacy and liberties of individuals are extremely important and, if required, we need to put in place a system of legislation to ensure that their rights are protected.
I hear what the hon. Gentleman says; when a senior Liberal Democrat comments that a junior Liberal Democrat is struggling with an issue, the junior Liberal Democrat should certainly take note of his colleague’s experience in the matter. The hon. Member for Bath (Mr Foster) made an incredibly useful contribution to the debate, as he always does, and mentioned the report published today by the Boston Consulting Group, which might have been commissioned by Google. The report estimated that in the UK alone, the internet economy is worth £100 billion. He was right to point out that a balance has to be struck between how we regulate the internet and protect personal privacy online on the one hand, and the fact that it is now an incredibly important economic force on the other. One of the reasons for its economic importance is that it has had the freedom to develop and businesses have had the freedom to establish themselves online.
We should make no mistake that the internet is regulated, a point that I make time and again. There sometimes seems to be a lazy assumption that what happens on the internet is beyond the law. That is absolutely not the case; illegal activity is still illegal, whether or not it takes place online. Indeed, we have a sophisticated and comprehensive regulatory framework that is intended to protect the individual, both offline and online. Matters of online privacy are regulated through the Data Protection Act 1998 and the Privacy and Electronic Communication (EC Directive) Regulations 2003, not to mention the Freedom of Information Act 2000 and the Environmental Information Regulations 2004. Much of that is enforced through the Information Commissioner’s Office, which is responsible for upholding information rights, promoting openness by public bodies and enforcing data protection rights for individuals. Where a breach of those laws amounts to a criminal offence, appropriate enforcement action can be taken, either by the police or the Information Commissioner.
We all recognise, however, that there are practical differences between the online world and the physical world, which can cause difficulties for individuals and companies. My hon. Friend the Member for Harlow suggested that perhaps the time has come for an internet Bill of Rights, and I hear what he says. The Information Commissioner has published a code of practice on the collection of personal information online, and I have a copy here. It is 36 pages long and densely printed—I do not think the commissioner has worked in public relations—so I am not sure that it is being read in the Dog and Duck, but at least the detail exists. The commissioner would do well to meet my hon. Friend to discuss how the code of practice could be promoted and whether it meets some of the concerns that his proposed internet Bill of Rights would seek to address.
The code of practice sets down detailed guidance for public and private sector organisations operating online. It covers topics such as online marketing, cloud computing, the protection of young people online and, of course, privacy settings. The document is not set in aspic, and we continue to debate with a range of stakeholders how we can improve privacy online and other concerns. Only yesterday, the Department for Business, Innovation and Skills held a meeting with more than 100 stakeholders from across the sectors, including consumer interest groups and Consumer Focus, to discuss that issue. The ICO, as well as publishing the guidance, expects organisations to recognise that online processing brings with it new risks to individuals and that the mitigation of those risks requires careful consideration of privacy impacts before products and services are launched.
I want to take that further and to see businesses signing up openly to the ICO’s code of practice to demonstrate to their users that their services adhere to the highest standards. I cannot remember who asked, in an intervention, whether some sort of kitemark might be useful for internet sites. If an internet company signs up to the code of practice and adheres to it, I think that that information should be clearly displayed on their home page for the reassurance of consumers. Indeed, a link to that code of practice might be provided—not necessarily 36 pages of dense text, but an easy-to-read summary that aids the consumer in understanding privacy implications.
One of the difficulties with kitemarks on the internet is that one often has to go to a particular site to obtain certain information, and if one leaves a site that does not have a kitemark, one does not get any information. Although the kitemark is a good idea in principle, it would have to be exhaustively followed in order to succeed.
I understand the hon. Gentleman’s point, but I want to see self-regulation and voluntary action by organisations on the internet. That is a theme that I want to develop in my speech—I have only one hour and 10 minutes remaining, so I will try to speed up a bit. We have a code of practice that many companies say they adhere to, so that information should be made available to consumers. Critical momentum could be built up if more well-known and legitimate websites signed up to the code, made that plain on their home pages and allowed consumers to see what that code states.