Leaving the EU: Data Protection Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Kevin Brennan
Main Page: Kevin Brennan (Labour - Cardiff West)Department Debates - View all Kevin Brennan's debates with the Department for Digital, Culture, Media & Sport
Leaving the EU: Data Protection
Kevin Brennan Excerpts(6 years, 7 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Kevin Brennan (Cardiff West) (Lab)
First, let me apologise for my right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne) who has recently joined our team and would normally be speaking on these matters. He is currently fulfilling a prior obligation to speak at the Council of Europe in Strasbourg. It is nice to have him on our team as we served together in the Cabinet Office in government, along with my hon. Friend the Member for West Bromwich East (Tom Watson), and we all look forward to serving in government again very soon in the Department for Digital, Culture, Media and Sport.
If I may, I will just correct the Minister, who inadvertently misinformed the House. Of course, Gibraltar is not part of the United Kingdom. It is an overseas territory. It is technically part of the European Union, although it is obviously excluded from the customs union and the common agricultural policy.
Matt Hancock
The hon. Gentleman is quite right. Of course, Gibraltar is part of the UK family. I should have been clearer about that, but I am glad that we have cleared that up.
Kevin Brennan
As ever, the Minister is modest enough to accept when he makes a mistake and correct the record.
There are few debates that are more important than those concerning trade, especially in the context of the decision of the UK to exit the European Union with all the impact that that could have on the UK economy. As the Minister quite rightly said, in the 21st century there is nothing much more important to trade than data. As we have heard, 43% of EU tech companies are based in the United Kingdom and three quarters of the UK’s cross-border data flows are with other European Union countries. These data flows are essential for UK trade. Approximately half of all trade in services is enabled by digital technologies and the associated data flows.
Effective modern data protection laws that set down strong rights and protections are vital if the public are to have any trust in the use of personal information within the digital economy, the delivery of public services and the fight against crime. Ensuring that the public can trust that their data is handled safely, whether in the public or private sector, is important for us all. We need to get the Data Protection Bill right—as the Minister pointed out, the Bill has been introduced in the other place and is there as we speak—to implement the new European Union rules on data protection contained in the general data protection regulation. If we do not get it right, people will not benefit to the fullest extent from the new digital services that are coming online all the time. I am sure that the Minister will be pleased that the Opposition welcome the Bill. We deeply regret that the Government opposed our previous attempts to strengthen data protection at the time of the passage of the Digital Economy Act 2017, just a few short months ago, but better late than never. In scrutinising the Data Protection Bill, we will ensure that it is not too little, too late.
So far, the Government have talked the talk about their commitment to unhindered, uninterrupted data flows post-Brexit, but the Data Protection Bill does not really set out fully how they plan to deliver on that promise. Even if the Bill succeeds in bringing UK law into line with the EU’s data protection framework by the deadline of 25 May 2018, it does not necessarily mean that the Bill provides for the future. On leaving the EU, the Government will need to satisfy the European Commission that the UK’s data protection framework provides an “adequate level of protection”. The Government and the Minister today seem to be saying that achieving a positive adequacy decision will be easy, but it might not be as easy as the Minister indicated.
Under article 45 of the general data protection regulation, the European Commission is required to consider a number of issues including, among other things, existing surveillance practices. As Lord Stevenson said in the other place on Tuesday, several commentators have indicated that the current activities of British intelligence services could
“jeopardise a positive adequacy decision”
since data protection rules
“do not offer an equivalent standard of protection to that available in the rest of the EU.”—[Official Report, House of Lords, 10 October 2017; Vol. 785, c. 129.]
Lord Stevenson asked the Government how they might square this circle, but unfortunately received no answer. I understand we will have the intense and unusual pleasure of a second contribution from the Minister in this debate—I foreshadow that by indicating to the House that I will also seek permission to respond on behalf of the Opposition in a similar fashion—so perhaps he could answer that question during his closing remarks.
The Government seem to have lost sight of the need to ensure continuity during the transition period and beyond. They must have measures in place to reassure all those businesses that have taken advantage of the UK as the gateway to Europe that they will pass the adequacy test and ensure that stability and certainty. Given that we need a new data protection regime for sharing data across the channel and the Irish sea, we may as well get this new regime right for consumers as well as businesses. At a time of increasing concern about the misuse of personal data by certain companies, is not there a need for a far more stringent regulatory structure than that contained in the Data Protection Bill?
Colleagues in the other place have already remarked that the tech giants that dominate the digital economy and the market for data have, for too long, got away with portraying themselves as purely neutral platforms. They are not, as each of their business models—not to mention their share value—is predicated on the data flows that they generate and monetise. It has become a cliché, but in a very real sense data is the new oil in the economy.
We should also speak about children in the context of data protection. The Minister did not mention this part of the Government’s plans in his remarks, but I hope he refers to it when he sums up. Children and young people are at the leading edge of the online world, with 75% of 10 to 12-year-olds and 96% of 13 to 18-year-olds using social media sites, with Facebook ranked at the top. Sadly, this has resulted in children and teens being treated as data assets by business, with their personal data stolen and sold without informed consent on a regular basis. That cannot be right. The Data Protection Bill represents an opportunity to right this wrong, but the current drafting of the Bill does not give us much cause for hope in that area.
The Government have chosen to derogate from the general data protection regulation, as the Minister mentioned, by setting the minimum age for a child consenting to the processing of personal data at 13 years of age, rather than 16. Why have they chosen to derogate in that fashion? As John Carr, a member of the executive board of the UK Council for Child Internet Safety, which was set up under the last Labour Government, has noted, perhaps the age of 13 was chosen because when Ireland—where the big social media companies are based—decided on 13 years of age, the UK’s decision was all but irrelevant. Does the Minister agree with that? If that is not the case, what is his explanation for why the Government chose to make this derogation? They claimed in their statement of intent published in August:
“Child online safety is one of the top priorities for this government”.
If so, 16 would have been a better age, as Sonia Livingstone, professor of social psychology in the department of media and communications at the London School of Economics, has argued.
Some people might argue that a lower minimum age is good for younger people’s participation in the digital world, but evidence from the regulator, Ofcom, shows quite clearly that fewer than half of 12 to 15-year-olds can identify an online-sponsored result, let alone understand how companies exploit their personal data. If the Government insist on staying the course with regard to this derogation, they must at the very least guarantee to the House today that they will ensure a significant increase in media education and digital literacy among young people. I hope that the Minister will refer to that in his response. This returns us to the responsibilities of social media and other online businesses.
While we may debate where the minimum age of consent should be fixed, the fact that the Bill does not place any requirements on these companies to prevent under-age access to their services is a glaring oversight, especially from a Government who claim that child online safety is one of their top priorities. The Leader of the House so memorably described Jane Austen in this Chamber not so long ago as
“one of our greatest living authors”—[Official Report, 20 July 2017; Vol. 627, c. 1004.]
To paraphrase Jane Austen, it is a truth universally acknowledged that the Government are making a complete Horlicks of the article 50 negotiations, as we saw again just this morning. At least, they have now taken up our policy.
Matt Hancock
Just on a point of English language, it is clearly not a truth universally acknowledged, because I do not acknowledge it.
Kevin Brennan
Well, at least the Minister did not claim that Jane Austen was our greatest living author—I will give him credit for that.
I give the Minister and the Government credit for taking up our policy of having a transitional period with regard to Brexit to give themselves a little more time. The price of getting data protection wrong would obviously be enormous, because so many companies rely on transmitting data across the single market.
For many years, we have talked of the four freedoms—the free movement of goods, services, capital and people—but there is a fifth freedom, because, in reality, we have created one of the world’s leading regimes for data transfer, which has allowed our tech companies to grow, flourish and prosper. It would be a disaster if any division, dithering or incompetence around the Brexit negotiations now imperilled that achievement.
The Government have set themselves a very tight schedule for passing the Bill into law before the end of April 2018. As I have indicated, the Opposition will support the main principles of the Bill, but there is a great deal of work still to be done, with several areas needing to be scrutinised, and the Government need to be prepared to amend the Bill to rectify some of the inadequacies I have indicated during my remarks.
All of us in this place owe it to the public, and especially to children, to get this legislation right. We cannot afford to fail just because of the dysfunctionality at the heart of the Government, and I hope the Minister will not be complacent on that score.
Stephen Kerr
No, they are not separate things. I want our country to be at the forefront of this revolution, because it represents a massive competitive advantage and can be the primary means of unlocking the perplexing conundrum of Britain’s productivity gap.
The fourth industrial revolution is powered by data. It has already been said a number of times in this debate—perhaps it is a cliché—that data is the new oil. Increasingly, data makes the world go around. I am grateful to Guy Lloyd, a fellow of the Association of Professional Sales, for his graphic description of the digital age we live in, which is creating new information exponentially. Incredibly, 90% of data in the world today has been created in the past two years alone. Our current daily output of data is about the equivalent of 10 million Blu-ray discs which, if stacked, would be as high as four Eiffel towers. It does not take a genius to predict that, as the world becomes more connected and individuals become more empowered through technology, the data deluge will only increase.
Digital tools, fuelled by big data, are making it increasingly easy for business organisations to profile the marketplace they operate in, to identify the best potential customers for their business and to improve the effectiveness and efficiency of their lead generation activities. Using artificial intelligence search engines, businesses trawl company reports, social presence and analyst commentaries to find companies that are likely to have a problem suited to their offering, and then identify who to talk to and how to connect with them based on their prospects’ employee social profiles. Artificial intelligence will also identify problems in the prospect journey through the opportunity pipeline, even predicting possible issues before an initial engagement and suggesting workable solutions. The algorithmic examination of large amounts of data collected across the complex interactions of customers, and employees of customers, supports the design of much-improved customer experience. This is the world we are already living in.
Data protection should be about providing assurance that the data each of us provides to public bodies and private organisations is safe. The foundation principle of data protection must be trust. Each individual citizen must feel that their rights are protected in law, and they should also know that their rights are protected in law. The true focus of any data protection regime must be to provide reassurance to the individual citizen that their personal data is theirs to own, control and share as they choose and that they can make decisions to share their data on an informed basis. Public and private corporations must be accountable for how they use that information, and they must collect it ethically and transparently.
There is no argument from me about the fact that the data protection regime within the European Union is a robust system that has been designed to provide significantly enhanced rights and protections for individual EU citizens. My concern, however, is that data protection can also be a carefully constructed protectionist measure that works to the commercial advantage and convenience of some of the largest multinational companies. So often the voices of lobbyists and corporations drown out the better nature of our policymakers and, more often than not, that is certainly true of the European Union. EU regulations can become so complex and byzantine that new entrants to the field—I am talking from a commercial perspective—from emerging markets are crowded out. I seek assurances from the Minister in that regard.
Some Members will undoubtedly be in favour of protectionist policies, but I believe in free trade. The EU has built a wall from such regulations—a wall that we must be ready occasionally to breach. From my own point of view, the idea of being able to interact with the 3.7 billion humans who are on the internet is not only desirable but vital for the growth of many companies beyond the relatively small numbers within the European Union. We can position Britain at the heart of this global data processing industry. We have a proud history of this—from the Babbage engine to Skyscanner, via the work at Bletchley Park and Manchester 1. In my constituency of Stirling, superb IT companies are already expert in the field of data processing, and CodeBase Stirling, an organisation for supporting emerging companies, many of which will be developing new applications in this field, has recently located there. Students at Stirling University are learning about big data in a master’s programme, and the work carried out there on big data analytics as well as machine learning will bear fruit long into the future.
We in this country have the skills and the knowledge. Members who think that we will sink without the EU have little faith in the spirit of the British entrepreneur. Brexit gives us the opportunity to think globally, and think globally we shall. Rather than the existing adequacy model of the EU, we need to consider partnerships based on shared understanding of privacy rights and a shared goal of ensuring that consumers give informed consent to their data being used. A shared international framework would give surety to companies operating globally that there are common standards to adhere to, at the same time as protecting consumers.
Kevin Brennan
I am listening with great interest to the hon. Gentleman’s speech. If he is saying that we should not participate in the adequacy arrangements, is he disagreeing with the Minister’s comments that we should have an arrangement akin to the adequacy requirements?
Stephen Kerr
No, I did not actually say we should not participate. I am saying that we should think further afield and establish relationships that involve agreements on a shared understanding of what privacy rights are, and we should ensure that consumers outside the EU, too, give informed consent to their data being used. A shared international framework would give surety to companies operating globally.
Many people of my generation will be disappointed that instead of personal rocket packs we have mobile phones and Twitter, but there is something about our modern life that fills me with hope. We can come closer together as a world community of individuals living together, with more respect for our fellow beings, as we see the barriers of culture, language and custom fall around us. But we need to be prepared for the times in which we live. We owe it to the people of our country and to our companies to keep our regulatory regime up to date as technology changes and emerges. Our laws should be responsive to change and adaptive to the social and economic changes that technology brings about. I believe we can achieve that far more readily in our own Parliament and that we can make the UK a world class data-safe partner.
Privacy and the protection of our data are vital, given the way we live today. We create footsteps and tracks in all aspects of our life, whether through the purchase of a product at an online shop, the presence of our mobile phone accessing a public wi-fi, or the use of a social media platforms. Every aspect of our lives can be and is recorded by companies that use complex algorithms to profit from this information. Let us be honest: this can often lead to greater convenience for us as consumers. The way we surrender our personal data can be considered transactional. We surrender some of our personal freedom to get access to a product or service that we want. This needs to be made clear to people who often access services without knowing the sacrifices that are being made to their privacy. People might think they are getting things for free when in fact they are paying with their valuable personal data. Sometimes this is a good deal but sometimes it is not, and it is for informed consumers to make that choice. Rights enshrined in law should be clear and easy to understand. The use of personal information should be subject to regulation, but not in such a restrictive way as to make it impossible to handle. Informed consent should be our watchword.
The internet is the best vehicle for economic growth that we have, and with data being produced at a rate of 2.5 billion gigabytes per day, it is not going away. It is also a tremendous opportunity. Our responsibility as lawmakers is to anticipate and follow technological change, and to understand how the technologies and habits that our people form require new protections in law. It is also our responsibility to ensure that the laws that we make are proportionate and do not generate a protectionist climate for our companies, but instead protect our citizens.
I believe that this is another area of public policy where the opportunities presented to us by Brexit are substantial. We can make our laws more responsive; we can break down barriers to trade with consumers around the world; and we can build a proper data protection regime that protects our citizens.
Stephen Timms
The firms in my hon. Friend’s constituency are absolutely right. If we do not achieve that adequacy declaration, it will become illegal for personal data to be exchanged between the UK and the countries of the EU, and there will no longer be a lawful basis for large swathes of businesses in the country to continue to operate.
Kevin Brennan
Perhaps we can draw an analogy with my right hon. Friend’s earlier remarks about the customs union and single market and say that the Government are seeking an adequacy agreement, but not in name on this occasion.
Stephen Timms
The problem is that if it is not an adequacy agreement in name, it is not clear what it is. [Interruption.] Yes, an inadequacy agreement, perhaps.
We also need this to be clarified soon, because otherwise businesses will have no alternative but to make arrangements to shift the activities into the other EU countries to avoid the risk of them no longer being lawful—and if this is left to the last minute, with some late-night deal at some distant point, these companies will have gone.
Kevin Brennan
With the leave of the House, Madam Deputy Speaker.
This has been a very interesting debate. It has, in a sense, been the First Reading of a Bill, which is an innovation on the Government’s part. Although the Bill is currently in the House of Lords, I suspect that there may be a degree of repetition when it eventually comes here for its Second Reading. However, I am sure that the Minister’s Second Reading speech will be completely original, and will not contain any of the information that he has given us this afternoon.
The debate has also been very well informed, and we have heard from Members on both sides of the House. The hon. Member for Bromley and Chislehurst (Robert Neill) drew attention to the importance of tech companies in London and to the importance of bespoke arrangements for when Britain leaves the European Union. The Scottish National party’s Front Bench spokesman, the hon. Member for Argyll and Bute (Brendan O’Hara), expressed many of the views that I think we share, and I am sure that they will be developed on Second Reading and in Committee. The hon. Member for Stirling (Stephen Kerr), who is no longer in the Chamber, spoke about the accountability and ethics involved in data use and said that he was a champion of free trade. I was not entirely sure that I grasped how his point about adequacy fitted in with what the Minister had said about something “akin to” adequacy, but he gave his own explanation nevertheless. My right hon. Friend the Member for East Ham (Stephen Timms) was, as usual, erudite and informed, but never anorakish, in his contribution and made some extremely important points [Interruption.] The Minister is shouting “Rubbish”; I know he is not doing so about the content of my right hon. Friend’s speech, because my right hon. Friend made some extremely important points about the EU charter of fundamental rights and clarity on the adequacy agreement. I know the Minister was listening carefully, because he intervened on my right hon. Friend, but I hope he reflects on what my right hon. Friend said before the Bill comes to us on Second Reading.
We then had the immense pleasure of a maiden speech from my hon. Friend the Member for Warwick and Leamington (Matt Western), which is indeed a very beautiful and happy place. My daughter recently spent three years in Leamington Spa while a student at Warwick University—and was a member of the Leamingtones singing group—and I can confirm that it is a very happy place. My hon. Friend rightly paid tribute to his predecessor. I hope his predecessor does not mind my saying—this is not meant in a mean-spirited way—that I was quite pleased when he lost his seat, because for some reason people thought he and I looked alike. That was perhaps something to do with our stature or our glasses, and from time to time we were mistaken for each other. I wish him well outside the House and look forward to people no longer saying to me “You must have a double,” every time I was mistaken for him around this place. My hon. Friend rightly paid gracious tribute to his predecessor, and his maiden speech was very witty and erudite, as well as serious. We wish him a long and successful career in this House, and I am sure he will make a great contribution.
The hon. Member for Chelmsford (Vicky Ford) made her contribution, and then my hon. Friend the Member for Cambridge (Daniel Zeichner) made a very thorough speech. He told us of his chairmanship of the all-party group on data analytics. We should thank it for the briefing it supplied ahead of this debate, which was very useful, and should also mention other briefings that were supplied but not referred to during the debate, such as that from the Association of British Insurers, many of whose points have come out in general debate in any case.
Showing the talent on the Labour Benches, we also had excellent contributions from my hon. Friends the Members for Leeds North West (Alex Sobel) and for Bristol North West (Darren Jones), and I hope they will serve on the Bill Committee, as they could both bring great forensic analysis to the scrutiny of the Minister, who I know, having debated with him before, welcomes that immensely from the Opposition in Committee. I am sorry that my hon. Friend the Member for Bristol North West outed himself as a lawyer in this area, as I was hoping that we might spring him as a surprise on the Minister, but now I know he will be going away and doing research on my hon. Friend. We also had a contribution from the hon. Member for Bath (Wera Hobhouse), who pointed out the importance of a good Brexit deal and the damage that uncertainty is causing to business.
Finally, we heard from the hon. Member for Strangford (Jim Shannon), a very popular Member of this House, who was still able to make a very good speech in spite of Brexit. As ever, he was fluent and assiduous in his contribution, and he pointed out the special position of Northern Ireland, having a land border with the EU post Brexit, which we must never forget is a key issue.
I will not repeat the points I made in my speech, but I remind the Minister that I asked him to explain, and hope he is able to, the thinking behind the Government’s derogation on the minimum age for a child consenting in respect of the processing of their personal data at 13 years rather than 16 years. If he can rehearse that for the House at this point, it will perhaps be helpful when we consider it further down the line when the Bill comes before us, as it will if he also responds to the key points made in the debate by me and other Members in relation to adequacy, security and so on. We look forward to hearing the Minister’s response to the debate.