Jim Shannon
Main Page: Jim Shannon (Democratic Unionist Party - Strangford)I am pleased to have secured this debate. I am, of course, delighted to see the Under-Secretary of State for Culture, Media and Sport at the Dispatch Box, although I am a little surprised that a Ministry of Justice Minister is not here instead. The hon. Gentleman will understand why as I develop my argument.
There are many problems relating to the use of personal data by new media companies. We could be discussing the BBC report this morning: after a journalist went on to just four websites, 40 companies put cookies on to his computer to track what he was doing. We could be discussing the fact that Google has just three months to change its privacy policy or pay a £500,000 fine or the fact that Prism, used by the United States National Security Agency, has been collecting data from Microsoft and many other large companies.
However, the specific issue that I want to talk about is the use of personal data by mobile phone companies and the special sensitivity that arises because of the fact that the mobile phone companies know the location of the user. On 12 May, The Sunday Times reported that EE had sold to Ipsos MORI the personal data of 27 million mobile phone users, including their gender, age and postcode, the websites they visited, the time of day texts were sent, and, linked to that, their location when the texts were sent. Customers were clearly not aware that their data were being handed on and used in this way. Ipsos MORI then had a meeting with the Metropolitan police to discuss selling the data on for a second time. These data go beyond anything the police can get without an application under the Regulation of Investigatory Powers Act 2000. The scale of this is demonstrated by the fact that in 2011 only 2,911 such orders were given. Furthermore, a proposal to allow the police to hold such data was dropped by the Home Secretary last year.
The day after reading that article, I wrote to the Minister and requested various assurances from him. I have not had an answer so far, but perhaps this evening he will respond to the points I made. I asked him whether he had discussed the matter with industry, what steps the Government had taken to ensure that such data do not fall into undesirable hands, whether he had had a report from the Metropolitan police, whether the Government believe that it is right that a larger range of data are being used and sold than is allowed under RIPA, and what action the Government are taking to protect our citizens.
Because I did not receive an answer, I wrote to the mobile phone companies and the Information Commissioner’s Office, most of which provided full responses. I also had meetings with EE, the Open Rights Group and Big Brother Watch. Three companies told me that they do not sell on personal data at all, Ipsos MORI explained that the data were aggregated into groups of at least 50 people, and Telefonica pointed out, reasonably enough, that the location data are needed for “find my nearest” services. When I asked EE if the public might judge themselves whether they were satisfied with the arrangements it had made with Ipsos MORI and suggested that the way to achieve that would be for it to publish its contract with Ipsos MORI regarding the sale, it said that it could not do so because it was “confidential”.
All the companies said they believed that their practices fell within the Data Protection Act 1998 and that the data had been anonymised as defined in that Act. The ICO said that having datasets with names or addresses stripped out and aggregated into groups of 50
“does not enable particular individuals to be identified”.
Unfortunately that is not the case. By combining these data with other datasets—for example, those of the Land Registry—individual people can be identified. In March this year, Nature published a science report by academics at the Massachusetts Institute of Technology and Harvard, Louvain and Valparaiso universities which concluded that
“in a dataset where the location of an individual is specified hourly…four spatio-temporal points are enough to uniquely identify 95% of the individuals…These findings represent fundamental constraints to an individual's privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals.”
I thank the hon. Lady for bringing this vital issue to the House. A week does not pass in my constituency without the police warning people to be aware of a scam. Data seem to become available to many organisations, especially the mobile phone groups. Does the hon. Lady agree—I hope the Minister will also respond to this—that, rather than addressing the issue regionally, it would be best to do so with a strategy across the whole United Kingdom of Great Britain and Northern Ireland?
The hon. Gentleman is absolutely right. Indeed, the European Union will make proposals, which will obviously cover the United Kingdom. That is essential, because we are dealing with international companies, so we need international agreements to tackle the problems.
The current law is inadequate to protect people’s privacy, partly because there has been significant technological change since 1998. The advent of cloud computing and the increasing sharing of personal information on online social networks mean that fewer and fewer data are needed to identify people. Furthermore, the current consent rules are completely inadequate. For consent to be meaningful, it needs to be explicit, informed and freely given. Usually, that is not the case —the consent is buried somewhere in paragraph 157 of the terms and conditions—and people have no option to refuse if they want the service at all.
Data are not used for the purposes requested or desired by their owner. In other words, the legal definition of legitimate use is too weak. The data that mobile phone companies hold are extremely sensitive and neither those that they sell nor their changed use have been agreed with the customers. The sanctions are weak, as is evident from the fact that the ICO will fine Google only £500,000 if it does not change its policies.
There are two relevant laws: the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. Do the Government think there is a proper legal basis for processing customers’ location data for the benefit of the marketing purposes of third parties? Does the Minister believe that the ICO is taking enough action to require mobile phone companies to keep consumers informed?
If the Government think that the public are not bothered, they are surely mistaken. Last year Demos carried out some public opinion surveys as part of a report on data sharing and protection. The surveys found that losing control of personal information is the public’s most significant concern with regard to using new technology. They also found that people are sharing more, but that they have a “crisis of confidence” in relation to it. On sharing personal data, 52% of the public were non-sharers or sceptics, compared with only 27% who were described as value hunters or enthusiastic sharers.
Against that background, Neelie Kroes, the EU commissioner for the digital agenda, has made proposals to give people effective control over their personal data, which is a fundamental right for all EU citizens. Under her proposals, an individual’s consent would have to be given explicitly and there would also be a new right to be forgotten whereby, if requested, a data holder would have to delete all the data they hold on a particular person. She also proposes that people should have easier access to their personal data; that there should be a right to transfer those data from one data holder to another; that people should receive speedy information of personal data security breaches; and that there should be stronger protection for children.
The Justice Select Committee has described the draft regulation as necessary and agrees that a shared approach across the EU is necessary for dealing with these large multinational companies, yet the Lord Chancellor has described the proposals as “mad”. The Government have complained about the costs and the potential loss of £15 million of income in fees to the ICO.
Of course no one wants to impose unnecessary burdens on business, and especially not on small and medium-sized enterprises, but if the Government got their act together and started taxing those large new media companies properly, they would easily acquire the necessary resources to enable the institutions to provide proper protection for our citizens. That is evident from the fact that Google paid only £3 million in tax on a £2 billion turnover.
Furthermore, the Government seem to be supporting attempts to weaken people’s rights. The Ministry of Justice’s summary of responses document, which it published in June 2012, said that the Government would
“resist the proposal that subject access rights be exercisable free of charge”,
and that they would resist the right to be forgotten. Although they accepted that people should receive notifications of data breaches, they resisted the introduction of a speedy timetable for them. They also felt that the imposition of a fine of 2% of turnover would be “disproportionately high”.
To summarise my argument, 70% of Europeans are concerned that companies use data for purposes other than that for which they were collected, and 94% of the British public worry about their online privacy. British people’s data have been used and sold without their knowledge, and the rapid pace of technological change means that the law is in urgent need of updating. Privacy is a fundamental human right and the EU is now bringing forward sensible proposals to tackle this, which the Lord Chancellor has described as “mad”. Is this because the Tory-led Government are so in hock to big business that they refuse to protect citizens’ privacy, or because the Lord Chancellor is so Europhobic that he cannot recognise a good idea when it comes along?