Digital Economy Bill (Eleventh sitting) Debate
Full Debate: Read Full DebateKevin Brennan
Main Page: Kevin Brennan (Labour - Cardiff West)Department Debates - View all Kevin Brennan's debates with the Cabinet Office
(8 years ago)
Public Bill CommitteesI stress that I bought my tickets to see Paul Simon completely off my own bat, as a fan. My wife and I are enormously looking forward to going. I am prepared to pay the very high price because it will be such an amazing concert, but it would be far better if I could pay the face value or something close to it. I went online immediately the tickets were released and a huge number had gone already. Secondary ticketing sites were the only way that I could get the tickets. Like my hon. Friend the Member for Selby and Ainsty, I was bent over my laptop pressing the button trying to get the tickets as quickly as possible. I only say that to explain to the Committee that I feel the pain of all those who end up having to pay far more than face value because of automated bots.
The Committee will know that we asked Professor Michael Waterson to review secondary ticketing. His very good independent report makes a number of points relevant to the new clause. The offences set out in the Computer Misuse Act 1990 have broad application and the Waterson review concludes that unauthorised use of a computerised ticketing system to avoid ticket volume constraints may give rise to breaches of that Act. Such breaches need to be reported, investigated and case law then established.
Having said that, I recognise the very clear sense in the debate that there remains a problem to be solved. I reiterate the words of the Secretary of State, who said last week that
“the advice has always been that the Computer Misuse Act applied. I want to look carefully at that and see how best we can get to a robust position on this matter”.
She proposed to convene a meeting of all interested parties. If we can get it scheduled, we will have that meeting within a month; if not, I commit to holding it before Christmas.
It is welcome to have a deadline, but would it not be better if that meeting took place before Report, so that the Commons has an opportunity to consider the points made at it?
I have done a quick count. I think there are nine new clauses and two new schedules left. I remind hon. Members that we have an hour and 20 minutes before we have to finish.
New Clause 15
Storage of uploaded works
“(1) The Electronic Commerce (EC Directive) Regulations 2002 is amended as follows.
(2) After Regulation 19 (a)(ii) insert—
“(iii) does not play an active role in the storage of information including by optimising the presentation of the uploaded works or promoting them.”.”—(Kevin Brennan.)
This new clause clarifies circumstances when a digital service is deemed an active provider of copyright protected content.
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
I hope that the Minister enjoys his concert next week; I am sure he will be feelin’ groovy. I rise to speak to new clause 15, which is a probing new clause to clarify when a digital service is deemed to be an active provider of copyright-protected content. Taking on board what you have said, Mr Stringer, I will truncate my remarks.
The Electronic Commerce (EC Directive) Regulations 2002, which put into law the EU’s e-commerce directive 2000, include certain exemptions from liability for online services, including copyright-protected works. The fundamental concern from the music industry is that the hosting defence provided by regulation 19 of the 2002 regulations acts as a safe harbour and allows some services, including user-uploaded services such as YouTube, to circumvent the normal rules of licensing.
Those services can use copyright-protected content—a song by Paul Simon or Green Day, for example—to build businesses without fairly remunerating rights holders. In recent years, the music industry has argued that the online content market has developed in such a way that there is now a value gap between rights holders, such as artists, record companies and publishers and so on, and the digital services themselves, such as YouTube.
As evidence of that, the recent report by UK Music, “Measuring Music 2016”, highlighted that user-uploaded service YouTube, the most widely used global streaming platform, increased its payments to music rights holders by 11% in 2015, despite consumption on the service growing by 132%. That is the value gap in a nutshell. Further industry analysis indicates that video streams increased by 88% year on year, but generated only a 0.4% increase in revenues. Nine of the top 10 most watched videos on YouTube are official music videos by artists such as Adele, Psy, Taylor Swift and Justin Bieber.
The inequality ensuing from that safe harbour is not only between those who produce music and those who promote it online; the provisions in new clause 15 have benefits for other sectors that seek to achieve a level playing field in online markets, too. The current legal ambiguity and imbalance has created a distortion in the digital market itself, with services such as YouTube benefiting from those exemptions while other services, such as Apple Music and Spotify, do not. The reality is that many people principally use YouTube to play music. It is nonsense to suppose it is not an active provider of copyright-protected content as those other services are.
There was, and continues to be, a justification for exemptions in some areas for passive hosts, but those must reflect the balance between the rights of rights holders and users. The industry is concerned that existing provisions are not sufficiently defined and as a result are open to deliberate manipulation. New clause 15, which stands in my name and that of my hon. Friend the Member for Sheffield, Heeley, aims to clarify the legislative framework, so that creators and rights holders can secure a fair and proper value for the use of their work by online services in a fair and properly functioning market.
Will the Minister clarify some issues? Many of the matters raised by new clause 15 are being considered by European institutions at this very moment. On 14 September, the day after Second Reading, the European Commission published a draft directive on copyright that seeks to address many of these points. That is a welcome development, and the Minister will probably to refer to it in his response. After the recent referendum put us on the path towards Brexit, many issues have been raised in relation to these proposals. It is highly conceivable that we will be Brexiting at the same time as Europe begins to adopt copyright rules for a digital age.
I would like to ask the Minister a few questions. First, will he assure us that the UK Government remain committed to engaging constructively with the European Union on matters relating to the draft copyright directive, and that they will put the interests of the creative industries at the heart of their representations? Secondly, will he support the positive measures in the draft directive that address the value gap between rights holders—particularly the music industry—and digital services?
Thirdly, and more generally, once article 50 is triggered, how do the UK Government intend to implement legislation agreed in Europe before we Brexit? Finally, what commitments is the Minister prepared to make today to reassure UK creators and rights holders that they will not miss out on any positive measures contained in the draft directive as a result of leaving the European Union?
I rise briefly to speak to the new clause tabled by the hon. Member for Cardiff West. I understand that it seeks to clarify a rule that already exists. As has been mentioned previously, I chair the all-party parliamentary group on music. Earlier in the year, we held a dinner with representatives from the industry and services such as Spotify and Apple Music. The intention of the dinner was better to understand the growing music-streaming market and what measures are needed to help it flourish further for the benefit of creators, fans and those services. I was taken by the agreement across the room about the existence of a value gap between rights holders and some digital services, and the need to ensure fairness in the way music rights are valued and negotiated.
The Government’s response to the EU’s digital platforms consultation, published at the beginning of the year, stated:
“Clarification of terms used in the Directive would, we believe, help to address these concerns.”
I hope the Minister and the Government remain committed to that view and the intention behind the new clause to clarify existing law.
As we have debated, the Bill sends a clear message about copyright infringement, not least because we are increasing the penalty for online copyright infringement from two to 10 years. Of course, I know about the concern in the music industry and elsewhere that online intermediaries need to do more to share revenues fairly with creators. That is what this new clause seeks to tackle, and I agree with that concern.
The hon. Member for Cardiff West mentioned the interaction of the Bill with EU law. The change proposed by the new clause is already the position in European Court of Justice case law, and we support that position in the UK. That provides some clarification to the existing position.
Let me answer the specific questions. First, we are heavily engaged in the digital single market negotiations and the discussions ongoing in Europe. While we are a member of the EU, we will continue to do that. The issue of the value gap, which the hon. Gentleman mentioned, is important, and the development of ECJ case law in that direction has been helpful.
That brings me to Brexit because, as the e-commerce directive is EU single-market legislation, we will have to consider what the best future system will be as we exit the European Union. We will have to consider how the e-commerce regulations as a whole should work in the future. That will be part of the debate about leaving the European Union. For the time being, ECJ case law supports the intentions in the new clause, and I would be wary about making piecemeal changes to the regime. I acknowledge the need, through the Brexit negotiations and the process of setting domestic law where there is currently European law, to take into account the important considerations that have been raised.
The new clause was a probing amendment, and I thank the Minister for his response. It is important to have the Government’s response on the record.
We debate this issue in the context of the UK music industry’s growth: over a four-year period, it has grown by 17%. During that same period, there has been a massive shift from consumers owning music towards the streaming of music. The value of subscription streaming services has jumped from £168 million in 2014 to £251 million in 2015. So there is a model, if you like, in the market, which can produce value for the industry, but it is being undermined by the value gap that is created by the different treatment of these different types of services.
I accept that the Minister has put on the record the Government’s current position and said that there will be a positive engagement with this issue. On that basis, I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
New Clause 16
E-book lending
‘In section 43(2) of the Digital Economy Act 2010, leave out from “limited time” to “and loan.”’
This new clause aims to extend public lending rights to remote offsite e-book lending.—(Kevin Brennan.)
Brought up, and read the First time.
I beg to move that the new clause be read a Second time.
This new clause would enable the consideration of public lending right for remote e-lending from libraries. That would be achieved by amending section 43(2) of the Digital Economy Act 2010, which sets remote loans outside the definition of lending under public lending right.
I do not know whether the Minister, like me, is a bit of a dinosaur and prefers his books to come in physical form—I am currently reading Bruce Springsteen’s autobiography, which I recommend, as well as Ed Balls’s book on politics, which is also very good. However, in this Digital Economy Bill we should acknowledge the increasing role of e-books and their impact on the income of authors. The spirit of the Bill is that we should better reflect how technology has changed our economy, so it is important that we go further in some places to acknowledge where technological change has outpaced legislation in relation to the arts.
Our approach here should be informed by the fact that we have the Digital Economy Act 2010. At the time that it was passed, some opportunities were missed. We should keep that in mind as we discuss this Bill and make sure that we do not allow those opportunities to pass by again as the Bill completes its stages in the House of Commons and afterwards in the other place.
The Digital Economy Act 2010 made some progress but it failed to forecast how our relationship with books would change. In particular, the 2010 Act touched on the subject of e-books, but its wording ignored the main way libraries would end up lending e-books: remotely, over an internet connection. Of course, remote lending is a natural continuation of the function of e-books. One of the main benefits of e-books is that they escape physical constraints such as location and storage.
However, under current legislation, authors receive no payment when a public library loans their book remotely, which is different from any other form of book loan. Last year, 2.3 million remote loans were made, but they were not counted at all towards authors’ payments because the 2010 Act allowed only for on-site loans of e-books, of which there was a negligible number—who will go to a library when they can borrow the book remotely? That is the whole point of e-books. There is no reason in principle why the distinction should exist; that is what the philosophy of this Bill is supposed to be. Nevertheless, as a result, the public lending right—a right for authors established in 1979—has not been honoured, due to the failure of the 2010 Act to keep up with technological change.
I hope that we can take the opportunity today to avoid repeating that mistake. The Society of Authors, the Association of Illustrators, and the Authors’ Licensing and Collecting Society all support the new clause. Public lending right is designed to balance the social need for free public access to books against an author’s right to be remunerated for the use of their work. Indeed, public lending right provides a significant and much-valued part of many authors’ incomes, particularly those authors whose books are sold mainly to libraries and those whose books are no longer in print.
The recent opinion of the Advocate General, relating to a case on rental and lending in respect of copyright works that is currently before the Court of Justice of the European Union, asserted that the lending of electronic books is the modern equivalent of the lending of printed books. I am aware that the Government expressed a desire to reflect this technological change in their March 2013 response to the independent review of e-lending in public libraries in England, but for some reason—perhaps the Minister can tell us why—they have neglected to take the opportunity presented by this Bill to put the matter right.
Furthermore, figures from March this year show that 343 libraries in the UK have been shut down in the past six years, with another 111 closures planned for 2016, which will result in the loss of almost 8,000 jobs. So it is particularly nonsensical not to apply PLR to remote e-book lending, given that it is becoming increasingly hard to visit a physical library. PLR is a legal right and a keystone of a society in which authors receive reward for their considerable cultural contribution. While we can all benefit from technological change and new ways of accessing creative works, it is important that the obligation to remunerate authors fairly is acknowledged and honoured.
Having acknowledged this loophole and the difficulties it causes, it is vital that the Bill addresses the issue, so that right-holders are treated equitably. Will the Minister take action on this issue and accept the new clause—and if not, why?
I wholeheartedly support the hon. Member for Cardiff West in his analysis of the increasing range of digital services at libraries across the country and the importance of those digital services to the communities they serve. I also agree with what he said about the increasing range of e-books and the importance of e-book lending. I am touched by his care for our delivering on the Conservative party manifesto and can tell him that we will deliver on this one too.
Libraries are increasingly providing remote e-book lending, so readers have the opportunity to borrow physical and audio books. Over the last year, 2 million e-book loans were made, which shows how important this is. We have been carefully looking at options for how to implement the manifesto commitment and appropriately compensate authors for remote e-lending, including by extending the PLR to e-books. In doing so, we have engaged with representatives of authors, libraries, agents, publishers and booksellers as well as the Public Lending Right Office. The collaborative input is very valuable and helps to ensure that we achieve an outcome that will be supported by all.
Like the hon. Member for Cardiff West, I am a mixed book reader. I am reading “Down and Out in London and Paris”—a well-thumbed hard copy. I am reading “King Lear” on an e-book, although I would say it is more studying than reading, because it is quite hard work. I bought a Kindle book at the weekend. I fully appreciate all types of books: hard copy and soft, hardback and soft.
The hon. Gentleman will understand how keen we are to implement our manifesto commitment. However, we want to take the time to get it right. Furthermore, we need to ensure that the measure is compatible with the copyright directive while we remain within the European Union. In doing so, we are also paying close attention to a relevant court case, again in the European Court of Justice, where we expect a ruling later this year that will have a bearing on how any clause to bring this into place would be drafted.
For those reasons, we are taking our time to get this right. With that explanation, I hope the hon. Member will withdraw his new clause.
I will, but I do not think that there is any real need for the Minister not to commit carrying the measure out in the Bill. It simply extends what is already available. If someone borrowed an e-book by turning up at a library, the author would receive their public lending right, but if they did so remotely through the same library service, the author would not. Clearly that is an unacceptable injustice and anomaly.
The Minister has said that the Government need to take their time. It was March 2013 when they said in their response to the independent review that they intended to reflect that technology change. Three years and eight months later, we have a Bill in Committee in the House of Commons and still the Government say they need to take their time to get it right. This Bill is the right time to get it right. I hope the Minister will reflect further on the raft of amendments to this defective Bill that will be introduced in the House of Lords if we do not put this right in the House of Commons. I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
New Clause 19
Personal data breaches
‘(1) The Data Protection Act 1998 is amended as follows.
(2) After section 24 insert—
“24A Personal data breaches: notification to the Commissioner
(1) In this section, section 24B and section 24C, “personal data breach” means unauthorised or unlawful processing of personal data or accidental loss or destruction of, or damage to, personal data.
(2) Subject to subsections (3), (4)(c) and (4)(d), if a personal data breach occurs, the data controller in respect of the personal data concerned in that breach shall, without undue delay, notify the breach to the Commissioner.
(3) The notification referred to in subsection (2) is not required to the extent that the personal data concerned in the personal data breach are exempt from the seventh data protection principle.
(4) The Secretary of State may by regulations—
(a) prescribe matters which a notification under subsection (2) must contain;
(b) prescribe the period within which, following detection of a personal data breach, a notification under subsection (2) must be given;
(c) provide that subsection (2) shall not apply to certain data controllers;
(d) provide that subsection (2) shall not apply to personal data breaches of a particular description or descriptions.
24B Personal data breaches: notification to the data subject
‘(1) Subject to subsections (2), (3), (4), (6)(b) and (6)(c), if a personal data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller in respect of the personal data concerned in that breach shall also, without undue delay, notify the breach to the data subject concerned, insofar as it is reasonably practicable to do so.
(2) The notification referred to in subsection (1) is not required to the extent that the personal data concerned in the personal data breach are exempt from the seventh data protection principle.
(3) The notification referred to in subsection (1) is not required to the extent that the personal data concerned in the personal data breach are exempt from section 7(1).
(4) The notification referred to in subsection (1) is not required if the data controller has demonstrated, to the satisfaction of the Commissioner—
(a) that the data controller has implemented appropriate measures which render the data unintelligible to any person who is not authorised to access it, and
(b) that those measures were applied to the data concerned in that personal data breach.
(5) If the data controller has not notified the data subject in compliance with subsection (1), the Commissioner may, having considered the likely adverse effects of the personal data breach, require the data controller to do so.
(6) The Secretary of State may by regulations—
(a) prescribe matters which a notification under subsection (1) must contain;
(b) provide that subsection (1) shall not apply to certain data controllers;
(c) provide that subsection (1) shall not apply to personal data breaches of a particular description or descriptions.
24C Personal data breaches: audit
‘(1) Data controllers shall maintain an inventory of personal data breaches comprising—
(a) the facts surrounding the breach,
(b) the effects of that breach, and
(c) remedial action taken
which shall be sufficient to enable the Commissioner to verify compliance with the provisions of sections 24A and 24B. The inventory shall only include information necessary for this purpose.
(2) The Commissioner may audit the compliance of data controllers with the provisions of sections 24A, 24B and 24C(1).
(3) In section 40 (Enforcement notices)—
(a) in subsection (1)—
(i) after “data protection principles,” insert “or section 24A, 24B or 24C”;
(ii) for “principle or principles” substitute “principle, principles, section or sections”;
(b) in subsection 6(a) after “principles” insert “or the section or sections”.
(4) In section 41 (Cancellation of enforcement notice”)—
(a) in subsection (1) after “principles” insert “or the section or sections”;
(b) in subsection (2) after “principles” insert “or the section or sections”.
(5) In section 41A (Assessment notices)—
(a) in subsection (1) after “data protection principles” insert “or section 24A, 24B or 24C”;
(b) in subsection (10)(b) after “data protection principles” insert “or section 24A, 24B or 24C”.
(6) In section 41C (Code of practice about assessment notices)—
(a) in subsection (4)(a) after “principles” insert “and sections 24A, 24B and 24C”;
(b) in subsection (4)(b) after “principles” insert “or sections”.
(7) In section 43 (Information notices)—
(a) in subsection 43(1)—
(i) after “data protection principles” insert “or section 24A, 24B or 24C”;
(ii) after “the principles” insert “or those sections”;
(b) in subsection 43(2)(b) after “principles” insert “or section 24A, 24B or 24C”.
(8) In section 55A (Power of Commissioner to impose monetary penalty)—
(a) after subsection (1) insert—
“(1A) The Commissioner may also serve a data controller with a monetary penalty notice if the Commissioner is satisfied that there has been a serious contravention of section 24A, 24B or 24C by the data controller.”;
(b) in subsection (3A) after “subsection (1)” insert “or (1A)”;
(c) in subsection (4) omit “determined by the Commissioner and”;
(d) in subsection (5)—
(i) after “The amount” insert “specified in a monetary penalty notice served under subsection (1) shall be”;
(ii) after “Commissioner” insert “and”;
(e) after subsection (5) insert—
“(5A) The amount specified in a monetary penalty notice served under subsection (1A) shall be £1,000.
(5B) The Secretary of State may by regulations amend subsection (5A) to change the amount specified therein.”
(9) In section 55B (Monetary penalty notices: procedural rights)—
(a) in subsection (3)(a) omit “and”;
(b) after subsection (3)(a) insert—
(aa) specify the provision of this Act of which the Commissioner is satisfied there has been a serious contravention, and”;
(c) after subsection (3) insert—
“(3A) A data controller may discharge liability for a monetary penalty in respect of a contravention of section 24A, 24B or 24C if he pays to the Commissioner the amount of £800 before the time within which the data controller may make representations to the Commissioner has expired.
(3B) A notice of intent served in respect of a contravention of section 24A, 24B or 24C must include a statement informing the data controller of the opportunity to discharge liability for the monetary penalty.
(3C) The Secretary of State may by regulations amend subsection (3A) to change the amount specified therein, save that the amount specified in subsection (3A) must be less than the amount specified in section 55A(5A).”;
(d) in subsection (5) after “served” insert “under section 55A(1)”;
(e) after subsection (5) insert—
“(5A) A person on whom a monetary penalty notice is served under section 55A(1A) may appeal to the Tribunal against the issue of the monetary penalty notice.”
(10) In section 55C(2)(b) (Guidance about monetary penalty notices) at the end insert “specified in a monetary penalty notice served under section 55A(1)”.
(12) In section 67 (Orders, regulations and rules)—
(a) in subsection (4)—
(i) after “order” insert “or regulations”;
(ii) after “section 22(1),” insert “section 24A(4)(c) or (d), 24B(6)(b) or(c),”;
(b) in subsection (5)—
(i) after subsection (c) insert “(ca) regulations under section 24A(4)(a) or (b) or section 24B(6)(a),”;
(ii) for “(ca) regulations under section 55A(5) or (7) or 55B(3)(b),” substitute “(cb) regulations under section 55A(5), (5B) or (7) or 55B(3)(b) or (3C),”.
(13) In section 71 (Index of defined expressions) after “personal data |section 1(1)” insert “personal data breach |section 24A(1)”.
(14) In paragraph 1 of Schedule 9—
(a) after paragraph 1(1)(a) insert—
“(aa) that a data controller has contravened or is contravening any provision of section 24A, 24B or 24C, or”;
(b) in paragraph 1(1B) after “principles” insert “or section 24A, 24B or 24C”;
(c) in paragraph (3)(d)(ii) after “principles” insert “or section 24A, 24B or 24C”;
(d) in paragraph (3)(f) after “principles” insert “or section 24A, 24B or 24C.””
This new clause seeks to create a general obligation on data controllers to notify the Information Commissioner and data subjects in the event of a breach of personal data security. The proposed obligation is similar to that imposed on electronic communication service providers by the Privacy and Electronic Communications (EC Directive) Regulations 2003.—(Louise Haigh.)
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
New clause 19 would provide a general obligation on companies to report personal data breaches. This crucial amendment gets to the heart of the regulatory system around cyber-security. Cyber-security is one of the greatest challenges we face as a country. Despite the Government’s multi-million pound strategy and their further welcome announcement today, we do not believe they have faced up to the challenge yet. Some 90% of large UK firms were attacked in 2014. That is an astonishing figure, and yet only 28% of those businesses reported their cyber-attack to the police. As the Minister knows, national crime statistics rose for the first time in 20 years last year, because scams and cybercrime are now included.
Throughout discussion of the Bill, we have made it clear that we feel it does nothing to address the real challenges facing the digital economy. The Bill should have equipped the sector for the digital future—a future as replete with challenges as with opportunities. None of those challenges could be greater than cyber-security. That security says to consumers and individuals that, in this coming century, when data will be the lifeblood and the exchange of personal data the currency, nothing is more critical to ensure that that runs smoothly than their trust.
This multi-billion-pound sector, which now amounts to 11% of our GDP, is utterly reliant on the mutual trust fostered between consumers and producers, which is why the new clause is so critical. It would establish for the first time a duty on all companies to report any breach of cyber-security. The legislation as it stands is simply inadequate. The Data Protection Acts deal extensively with the protection of personal data, but there is no legal obligation on companies to report data breaches. The privacy and electronic communications regulations include an obligation to report data breaches, but that only applies to telecommunications companies and internet service providers and, at that stage, only requires companies to consider information customers.
Clearly, however, it is not only communications providers that hold sensitive data about people that carry the potential to be commodified. Insurance companies have had their data stolen, to be sold to claims management companies; banks are hacked, as J.P. Morgan was in 2014; and TK Maxx suffered the largest retail hack to date with the loss of credit and debit card information. Yet none of those examples had a duty to report to their customers to ensure that further harm was not done with their information.
The net impact of the lack in existing legislation is that the vast majority of attacks go unreported, and people are left in the dark when their personal data have been hacked, leaked, stolen or sold. If we are to talk meaningfully about data ownership, we cannot allow that to continue. We welcome yesterday’s announcement that the Government will be implementing the general data protection regulation. As the Minister knows, the GDPR provides for a general obligation on all companies to report breaches to regulators and customers. Will he make it clear how he expects to fulfil that obligation and whether he is willing to accept the new clause?
Fundamentally, we are keen that the UK’s digital economy is not seen as a soft touch on cybercrime. That is why the new clause would impose a general obligation on data controllers to notify the Information Commissioner and data subjects in the event of breaches of personal data security. We believe that that would be a major step forward, and we look forward to the Minister’s comments.
It is completely outrageous to suggest that we are the ones arguing for delay.