(6 years, 9 months ago)
Public Bill CommitteesThat sounds like a terrifying application; my hon. Friend’s daughter very much has my sympathies. He is absolutely right. Lord Knight made this point with such power in the other place. The technology is advancing so quickly, and schools know that if they can monitor things in new, more forensic ways, that helps them to do their job of improving children’s education. However, it has costs and consequences too. I hope that Her Majesty’s Government will look sympathetically on the task of teachers, as they confront this 200-and-heaven-knows-what-page Bill.
Does my right hon. Friend share my concerns that, in response to a number of written parliamentary questions that I tabled, it became clear that the Government gave access to the national pupil database, which is controlled by the Government, to commercial entities, including newspapers such as The Daily Telegraph?
Yes. My hon. Friend has done an extraordinary job of exposing that minor scandal. I am surprised that it has not had more attention in the House, but hopefully once the Bill has passed it is exactly the kind of behaviour that we can begin to police rather more effectively.
I am sure that Ministers will recognise that there is a need for this. No doubt their colleagues in the Department for Education are absolutely all over it. I was talking to a headteacher in the Minister’s own constituency recently—an excellent headteacher, in an excellent school, who is a personal friend. The horror with which headteachers regard the arrival of the GDPR is something to behold. Heaven knows, our school leaders and our teachers have enough to do. I call on Ministers to make their task, their lives, and their mission that bit easier by accepting the new clause.
I am reassured by that and I beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.
New Clause 17
Personal data ethics advisory board and ethics code of practice
‘(1) The Secretary of State must appoint an independent Personal Data Ethics Advisory Board (“the board”).
(2) The board’s functions, in relation to the processing of personal data to which the GDPR and this Act applies, are—
(a) to monitor further technical advances in the use and management of personal data and their implications for the rights of data subjects;
(b) to monitor the protection of the individual and collective rights and interests of data subjects in relation to their personal data;
(c) to ensure that trade-offs between the rights of data subjects and the use of management of personal data are made transparently, inclusively, and with accountability;
(d) to seek out good practices and learn from successes and failures in the use and management of personal data;
(e) to enhance the skills of data subjects and controllers in the use and management of personal data.
(3) The board must work with the Commissioner to prepare a data ethics code of practice for data controllers, which must—
(a) include a duty of care on the data controller and the processor to the data subject;
(b) provide best practice for data controllers and processors on measures, which in relation to the processing of personal data—
(i) reduce vulnerabilities and inequalities;
(ii) protect human rights;
(iii) increase the security of personal data; and
(iv) ensure that the access, use and sharing personal data is transparent, and the purposes of personal data processing are communicated clearly and accessibly to data subjects.
(4) The code must also include guidance in relation to the processing of personal data in the public interest and the substantial public interest.
(5) Where a data controller or processor does not follow the code under this section, the data controller or processor is subject to a fine to be determined by the Commissioner.
(6) The board must report annually to the Secretary of State.
(7) The report in subsection (6) may contain recommendations to the Secretary of State and the Commissioner relating to how they can improve the processing of personal data and the protection of data subjects’ rights by improving methods of—
(a) monitoring and evaluating the use and management of personal data;
(b) sharing best practice and setting standards for data controllers; and
(c) clarifying and enforcing data protection rules.
(8) The Secretary of State must lay the report made under subsection (6) before both Houses of Parliament.
(9) The Secretary of State must, no later than one year after the day on which this Act receives Royal Assent, lay before both Houses of Parliament draft regulations in relation to the functions of the Personal Data Ethics Advisory Board as listed in subsections (2), (3), (4), (6) and (7) of this section.
(10) Regulations under this section are subject to the affirmative resolution procedure.’—(Darren Jones.)
This new clause would establish a statutory basis for a Data Ethics Advisory Board.
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
New clause 17 is in my name and that of my right hon. Friend the Member for Birmingham, Hodge Hill. I do not take it personally that my other hon. Friends have not signed up to it; that was probably my fault for not asking them to do so in advance.
The new clause would bring a statutory footing to the data and artificial intelligence ethics unit, which I am very pleased that the Government have now funded and established, through the spring statement, in the Minister’s Department. It comes off the back of conversations with the Information Commissioner in Select Committee about the differing roles of enforcing legislation and of having a public debate about what is right and wrong and what the boundaries are in this ever-changing space. The commissioner was very clear that we need to have that debate with the public, but that it is not for her to do it. The ICO is an enforcer of legislation. The commissioner has a lot on her plate and is challenged by her own resource as it is. She felt that the new unit in the Department would be a good place to have the debate about technology ethics, and I support that assertion.
With no disrespect to any colleagues, I do not think that the House of Commons, and perhaps even the Select Committees to a certain extent, necessarily has the time, energy or resource to get into the real detail of some of the technology ethics questions, nor to take them out to the public, who are the people we need to be having the debate with.
The new clause would therefore establish in law that monitoring, understanding and public debate obligation that I, the ICO and others agree ought to exist in the new data ethics unit, but make it clear that enforcement was reserved for the Information Commissioner. I tabled the new clause because, although I welcome the Government’s commitment to the data and AI ethics unit, I feel that there is potential for drift. The new clause would therefore put an anchor in the technology ethics requirement of the unit so that it understands and communicates the ethical issues and does not necessarily get sidetracked into other issues, although it may seek to do that on top of this anchor. However, I think this anchor needs to be placed.
Also, I recognise that the Minister and the Secretary of State supported the recommendation made previously under the Cameron Government and I welcome that, but of course, with an advisory group within the Department, it may be a future Minister’s whim that they no longer wish to be advised on these issues, or it may be the whim of the Treasury—with, potentially, budget cuts—that it no longer wishes to fund the people doing the work. I think that that is not good enough and that putting this provision in the Bill would give some security to the unit for the future.
I will refer to some of the comments made about the centre for data ethics and innovation, which I have been calling the data and AI ethics unit. When it was first discussed, in the autumn Budget of November 2017, the Chancellor of the Exchequer said that the unit would be established
“to enable and ensure safe, ethical and ground-breaking innovation in AI and data-driven technologies. This world-first advisory body will work with government, regulators and industry to lay the foundations for AI adoption”.
Although that is a positive message, it says to me that its job is to lay the foundations for AI adoption. I agree with that as an aim, but it does not mean that at its core is understanding and communicating the ethical challenges that we need to try to understand and legislate for.
I move on to some of the documents from the recruitment advertising for personnel to run the unit from January of this year, which said that the centre will be at the centre of plans to make the UK the best place in the world for AI businesses. Again, that is a positive statement, but one about AI business adoption in this country, not ethical requirements. It also said that the centre would advise on ethical and innovative uses of data-driven tech. Again, that is a positive statement, but I just do not think it is quite at the heart of understanding and communicating and having a debate about the ethics.
My concern is that while all this stuff is very positive, and I agree with the Government that we need to maintain our position as a world leader in artificial intelligence and that it is something we need to be very proud of—especially as we go through the regrettable process of leaving the European Union and the single market, we need to hold on to the strengths we have in the British economy—this week has shown that there is a need for an informed public debate on ethics. As no doubt all members of the Committee have read in my New Statesman article of today, one of the issues we have as the voice of our constituents in Parliament is that in order for our constituents to understand or take a view on what is right or wrong in this quickly developing space, we all need to understand it in the first place—to understand what is happening with our data and in the technology space, to understand what is being done with it and, having understood it, to then to take a view about it. The Cambridge Analytica scandal has been so newsworthy because the majority of people understandably had no idea that all this stuff was happening with their data. How we legislate for and set ethical frameworks must first come from a position of understanding.
That is why the new clause sets out that there should be an independent advisory board. The use of such boards is commonplace across Departments and I hope that would not be a contentious question. Subsection (2) talks about some of the things that that board should do. The Minister will note that the language I have used is quite careful in looking at how the board should monitor developments, monitor the protection of rights and look out for good practice. It does not seek to step on the toes of the Information Commissioner or the powers of the Government, but merely to understand, educate and inform.
The new clause goes on to suggest that the new board would work with the commissioner to put together a code of practice for data controllers. A code of practice with a technology ethics basis is important because it says to every data controller, regardless of what they do or what type of work they do, that we require ethical boundaries to be set and understood in the culture of what we do with big data analytics in this country. In working with the commissioner, this board would add great value to the way that we work with people’s personal data, by setting out that code of practice.
I hope that the new clause adds value to the work that the Minister’s Department is already doing. My hope is that by adding it to the Bill—albeit that current Parliaments cannot of course bind their successors and it could be legislated away in the future—it gives a solid grounding to the concept that we take technology ethical issues seriously, that we seek to understand them properly, not as politicians or as busy civil servants, but as experts who can be out with our stakeholders understanding the public policy consequences, and that we seek to have a proper debate with the public, working with enforcers such as the ICO to set, in this wild west, the boundaries of what is and is not acceptable. I commend the new clause to the Committee and hope that the Government will support it.
I beg to ask leave to withdraw the new clause.
Clause, by leave, withdrawn.
New Clause 20
Automated number plate recognition (No. 2)
“(1) Vehicle registration marks captured by automated number plate recognition systems are personal data.
(2) The Secretary of State shall issue a code of practice in connection with the operation by the police of automated number plate recognition systems.
(3) Any code of practice under subsection (1) shall conform to section 67 of the Police and Criminal Evidence Act 1984.”—(Liam Byrne.)
This new clause requires the Secretary of State to issue a code of practice in connection with the operation by the police of automated number plate recognition systems, vehicle registration marks captured by which are to be considered personal data in line with the opinion of the Information Commissioner.
Brought up, and read the First time.
I beg to move, That the clause be read a Second time.
I will touch on this new clause only very briefly, because I hope the Minister will put my mind at rest with a simple answer. For some time, there has been concern that the way in which data collected by the police through automatic number plate recognition technology is not adequately ordered, organised or policed by a code of practice. A code of practice is probably required to put the police well and truly within the boundaries of the Police and Criminal Evidence Act 1984, the Data Protection Act 1998 and the Bill.
With this new clause, we are basically asking the Secretary of State to issue a code of practice in connection with the operation by the police of ANPR systems under subsection (1), and we ask that it conform to section 67 of the Police and Criminal Evidence Act 1984. I hope the Minister will just say that a code of practice is on the way so we can safely withdraw the new clause.
(6 years, 9 months ago)
Public Bill CommitteesI agree—that is why I welcome the Bill. I am saying that we ought to go further, which is why I support the new schedule, and having conversations about ownership.
Returning to the issue of health data, I have personal views about how we might tax revenues from platforms in a better way. I welcome the comments made by the Chancellor of the Exchequer, in line with his counterparts in Europe, about looking at how we tax revenues where they are made, not where the company is headquartered. That is a positive move, but surely if all this NHS data is creating profits for other companies and organisations, we can create a situation in which patients also benefit from that, by sharing in the profits that are made and by seeing value redirected into the health service.
All that becomes anchored in the question of ownership. There is still this legal space that says that data subjects do not own their own data. We need a much broader debate on that. [Interruption.] Members are shaking their heads. I am happy to take interventions, if Members would like.
Will my hon. Friend reflect on the idea that if someone is genuinely a popular capitalist and believes in the distribution of wealth as the basis of economic growth, then recognising and crystallising the value of personal data is actually pro-growth?
I agree entirely. I confess I never got all the way through my version of Piketty, but the idea of value through assets, as opposed to through the stagnating wages in our economy today, plays into this conversation around data. People from poorer backgrounds may not inherit houses or land, but they create their own data every day. It is an asset that should belong to them. They should be able to share in its value when companies around the world are making enormous profits off the back of it. In this digital age, there is a huge call for equality of opportunity and equality of access. We need to try to get those right in these fundamental understandings of the digital market and the rights that exist around it.
Lastly, I encourage and strengthen my right hon. Friend’s arguments on the application of these principles to children. The Committee has already debated how parental consent is not needed after the age of 13. One of my early jobs as legal counsel at BT was the dubious task of consolidating terms and conditions. Hon. Members who are no doubt happy customers of BT, with perhaps broadband, TV and sport, would originally have had to read five or six different documents that were very long and complicated. I had to consolidate those. That was not good enough, so I commissioned a YouTube star to do a video, which can be seen on the terms and conditions page, to try to explain some of these things. Even for adults, this was a really hard and laborious task.
I am not saying that it is for Government to tell businesses how to communicate to children. Second Reading and some of the Committee’s debates show—dare I say it—that we are probably not best placed to have those conversations. However, it is really important that there is an expectation on businesses that they take steps to ensure that children are properly engaged and really understand what they are signing up to, especially as the Government have opted to go to the minimum age range for consent, going to 13.
I just wanted to re-emphasise the debate on ownership and on children. I support my right hon. Friend’s new schedule and new clauses, and I hope the Government will support them.
(6 years, 9 months ago)
Public Bill CommitteesI beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 170 ordered to stand part of the Bill.
Clause 171
Re-identification of de-identified personal data
Question proposed, That the clause stand part of the Bill.
It is a pleasure to serve under your chairmanship this afternoon, Mr Streeter. I want to pursue the debate on the re-identification of de-identified personal data because, as the Minister pointed out, under the general data protection regulation, the idea of pseudonymised data comes into the law for the first time. For example, if my name, as my personal data, is turned into #365, it has been pseudonymised, and the question is whether #365 can be unlocked to identify the name “Darren Jones”. Pseudonymising is distinct from anonymising, which cannot be unlocked.
The question has come up a lot in the Select Committee on Science and Technology, in various contexts. I had a conversation with the Minister and her officials in the Select Committee about one scenario—the use of genetic data in the health service, where lots of data from individuals is pooled together for the purpose of learning about trends. It may be re-applied to the individual in the delivery of care. Another example might involve Facebook clients being able to upload customer lists on to the Facebook advertising profile. Each name would be hashed—pseudonymised—but ultimately targeted advertising could be pushed through to the individual’s profile.
Both those scenarios raise a policy question about the end of the process, when it comes back to the individual—the information has been personally identifiable, then is pseudonymised in a pooled way, and is then re-identified. Will those issues give rise to an offence under the part of the Bill that we are considering, and should consent be different, with the potential for pseudonymised data to be re-identified made clear to the end user? The reason I have not tabled any amendments to deal with the point is that I do not know the answer, but I should welcome the Minister’s views, and perhaps a commitment to have a conversation either with the Information Commissioner or the new data and artificial intelligence ethics unit about different types of consent where data is pseudonymised and then re-identified, either for health purposes or targeted advertising.
I beg to move amendment 151, in clause 177, page 102, line 13, at end insert—
“(4) Notwithstanding any provision in section 6 of the European Union (Withdrawal) Act 2018, a court or tribunal shall have regard to decisions made by the European Court after exit day so far as they relate to any provision under this Act.”.
For fear of sounding like a broken record, my arguments in favour of the amendment are broadly similar to those for amendment 152—in seeking to assist the Government in our shared aim of getting a decision of adequacy with the European Commission, it would be helpful to set out in the Bill our commitment to tracking and implementing European jurisprudence in the area of data protection. Members will remember that amendment 152 dealt with the European data protection board. Amendment 151 makes the same argument, but in respect of the European Court.
I appreciate that there may be some political challenges in stating the aim that the UK will mirror the European Court’s jurisdiction, but the reality is that developing European data protection law, either directly from the courts or through the European data protection board, will in essence come from the application of European law at the European Court of Justice. The amendment does not seek to cause political problems for the Government, but merely says that we ought to have regard to European case law in UK courts, in order to provide the obligation to our learned friends in the judiciary to have regard to European legal decision making and debates in applying European-derived law in the United Kingdom. This short amendment seeks merely to put that into the Bill, to assist the Government in their negotiations on adequacy with the European Commission.
I would like to say a word in support of this important amendment. We had a rich and unsatisfactory debate on the incorporation of article 8 of the European charter of fundamental rights into British law. We think that that would have helped the Government considerably in ensuring that there is no divergence between the European data protection regime and our own. If the Government are successful, they will operate on different constitutional bases, and there is therefore a real risk of divergence over the years to come. I think that everyone on the Committee is now pretty well versed in the damage that that would do to British exports, many of which are digitally enabled. This is a really helpful amendment. It tries to tighten to lockstep that we have to maintain with European data protection regimes, which will be good for exports, services and the British economy, and the Government should accept it.
(6 years, 9 months ago)
Public Bill CommitteesI did not say it was Government policy. I said that there are people within the Administration, including the Secretary of State for Environment, Food and Rural Affairs, who have made the argument for a British Bill of Rights that would remove Britain from the European convention on human rights and, therefore, the Council of Europe. I very much hope that that ambiguity has been settled and that the policy of the current Government will remain that of the Conservative party from now until kingdom come; but the key point for the Committee is that convention 108 is in draft. The modernisation is in draft and is not yet signed. We have heard an express commitment from the Minister to the signing of the thing when it is finalised. We hope that she will remain in her position, to ensure that that will continue to be Government policy; but the modernised version that has been drafted is not yet a convention.
Does my right hon. Friend recognise that the modernisation process started in 2009, with rapporteurs including one of our former colleagues, Lord Prescott? When a process has taken quite so many years and the document is still in draft, it raises the question of how modern the modernisation is.
Some members of the Committee—I am one of them—have been members of the Parliamentary Assembly of the Council of Europe for some time. We know how the Council of Europe works. It is not rapid: it likes to take its time deliberating on things. The Minister may correct me, but I do not think that there is a deadline for the finalisation of the draft convention. So, to ensure that the Government remain absolutely focused on the subject, we will put the amendment to a vote.
Question put, That the amendment be made.
Does my hon. Friend agree that this is also a question of access to the judiciary? Last night, the Information Commissioner had to wait until this morning to get a warrant because no judges or emergency judges were available. At the same time, we assume that Facebook was able to exercise its contractual right to enter the offices of Cambridge Analytica. Emergency judges are available for terrorism or deportation cases. Should there not be access to emergency judges in cases of data misuse for quick regulatory enforcement too?
If I wanted to hide something from a newspaper and I thought that the newspaper was going to print it inappropriately, I would apply for an emergency injunction to stop the newspaper running it. I do not understand why the Information Commissioner has had to broadcast her intentions to the world, because that has given Cambridge Analytica a crucial period of time in which to do anything it likes, frankly, to its data records. The quality of the Information Commissioner’s investigation must be seriously impaired by the time that it has taken to get what is tantamount to a digital search warrant.
Is the Minister satisfied in her own mind that clause 131 and its associated clauses are powerful enough? Will she say more about the Secretary of State’s declaration to the House last night that he would be introducing amendments to strengthen the Commissioner’s power in the way that she requested? When are we going to see those amendments? Are we going to see them before this Committee rises, or at Report stage? Will there be a consultation on them? Is the Information Commissioner going to share her arguments for these extra powers with us and with the Secretary of State? We want to see a strong sheriff patrolling this wild west, and right now we do not know what the Government’s plan of action looks like.
(6 years, 9 months ago)
Public Bill CommitteesI beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—
“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.
2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”
It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.
Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.
I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.
I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.
Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake
“a periodic review, at least every four years”
to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.
As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek
“mechanisms to facilitate the effective enforcement of legislation”.
This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must
“have regard to”
various things that happen at European Union level, including
“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.
The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.
This is a wise and carefully crafted amendment. Does my hon. Friend agree that it is especially needed because the Government have rather unwisely decided not to incorporate article 8 into British law, which means there is a risk of courts in Europe and Britain interpreting data protection regimes differently, leading to divergence in future?
I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.
This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.
The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would
“incorporate, with any modifications which he or she”—
that is the Information Commissioner—
“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.
There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.
I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
The Minister seemed to rest her argument on the need to preserve the Information Commissioner’s discretion, which implies that she is trying to protect the commissioner’s ability to go her own way. That will not help us to secure, lock down or nail to the floor an adequacy agreement in years to come. It will put an adequacy agreement at risk.
My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.
The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.
(6 years, 9 months ago)
Public Bill CommitteesI beg to move amendment 152, in schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) and insert—
“2 The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, incorporate with any modifications which he or she considers necessary in any guidance or code of practice which the Commissioner issues, decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR.
2A The Commissioner must, in carrying out the Commissioner’s functions under this Regulation, have regard to any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).”
It is a pleasure to serve under your chairmanship, Mr Streeter. I declare my interests as set out in the Register of Members’ Financial Interests.
Amendment 152, like the amendments we tabled on Tuesday, would assist the Government in securing a finding of adequacy from the European Commission so that, if the UK leaves the European Union, we can continue to exchange data with it. As the Committee knows, I like to refer to my version of the general data protection regulation as much as to the Bill, even though it is not the subject of our debate today.
I welcome the Government’s commitments on the Floor of the House to seeking something “akin to” adequacy, then adequacy, and then something “beyond adequacy”. I thank the Minister , the hon. Member for Stourbridge, for her response to my question on Second Reading about wanting “beyond adequacy” to represent a useful position for our Information Commissioner on the European data protection board. Some of us have concerns about that because of the practicalities of what happens with third countries. Indeed, I asked the Information Commissioner herself about it at an evidence session of the Select Committee on Science and Technology, and she confirmed that third countries traditionally have little influence on the article 29 working party—the predecessor of the EDPB—even if they have a seat at the table.
I think our shared view is that in seeking “beyond adequacy”, we want not only to have a seat at the table as a potential third country but to have influence. In order to have that influence, we need to go slightly above and beyond what other third countries do and show close co-operation between the UK and the European Union.
Article 45 of the GDPR sets out guidelines on how the European Commission will assess and agree decisions on adequacy. It has to be happy that our legal framework is in line with its own. Of course, there will be an initial conversation as part of trade negotiations with the European Union. Under paragraph 3, the Commission is then to undertake
“a periodic review, at least every four years”
to ensure that we continue to be compliant. Paragraph 4 refers to ongoing monitoring of developments in third countries in their application of data protection laws and privacy rights.
As I have said on Second Reading and in previous debates on data protection laws, my concern is that we should lockstep the developments in our legislation, guidance and codes of conduct to show that they are still in line with the leading European Union legislative framework for data protection, so that we can continue to flow important amounts of data. Some 70% of our data flow is with the EU, and the UK accounts for a huge proportion—around 11%—of global data flow. We must maintain that. Under article 50 of the GDPR, in deciding on adequacy, the European Commission must seek
“mechanisms to facilitate the effective enforcement of legislation”.
This is our opportunity to show the European Union that we are committed to data protection principles. Amendment 152 would tweak the wording of paragraph 2 of article 61 of the applied GDPR. I was pleased to see that paragraph; in earlier debates I raised some concerns that—for political reasons that I will not go into today—the Bill might not go as far as admitting that we need to track and implement EU law in the area. However, I want to strengthen the paragraph 2 wording, which says that our Information Commissioner must
“have regard to”
various things that happen at European Union level, including
“decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board”.
The amendment seeks to strengthen that slightly, while recognising that the Government, and probably also the Information Commissioner, would like a little flexibility.
This is a wise and carefully crafted amendment. Does my hon. Friend agree that it is especially needed because the Government have rather unwisely decided not to incorporate article 8 into British law, which means there is a risk of courts in Europe and Britain interpreting data protection regimes differently, leading to divergence in future?
I agree. I am attempting not to get too much into the party politics in a bid to seek the Government’s agreement to the amendment, but there is an important distinction to be made. We have a layering of risks in seeking to achieve adequacy. On Tuesday we debated at length the Government’s decision to repeal fundamental rights of the European charter, which we know from European guidelines is something they look to. We will come to issues of national security today, which is also an issue for third countries, as we have seen with Canada.
This small amendment would help mitigate some of that risk by making it clear to our friends in the European Union that we in Britain are proud about the influence we had in drafting the general data protection regulation, which is a world-leading set of laws and rules for the future of our digital economy, and we continue to want to play a part in that, to help lead the conversation in the world and at European Union level. In co-operation with our friends in Europe, we seek to maintain that. While the Government may wish for divergence in other areas, I take the view that they do not in this area because we have been at the forefront of developments.
The amendment seeks only to tweak what is already in the Bill. As Members will see, it says that we would
“incorporate, with any modifications which he or she”—
that is the Information Commissioner—
“considers necessary in any guidance or code of practice… decisions…issued by the European Data Protection Board”.
There is a nuanced difference; the Bill as drafted speaks of having “regard to”, while the amendment speaks of incorporating, with any modifications that the Information Commissioner feels fit. It may seem like I am getting stuck in semantics—I do quite like to do that—but the amendment would deliver an important tone to the European Commission. On passing the Bill, we would be saying that when we are negotiating on data, where we have a shared interest at European and UK level, we want to get it right, and we will have gone beyond the basics of adequacy of other third countries because of our close relationship. We will hopefully have a seat on the European data protection board, where we seek to have influence, and we will take that responsibility seriously and, therefore, we will incorporate decisions of the board into the guidance of UK laws to lockstep our development in the area. As I said, it is made clear in the general data protection regulation that that is to be monitored on a continuous basis and more formally on a periodic basis.
I would not want us to lose adequacy in the future by diverging from European Union law. I want us to have an influential position on the European data protection board, which means being involved in the detail and taking the obligation of carrying that through on our side of the fence. The amendment seeks to bring that tone of co-operation and would help us and the Government in seeking adequacy so that we can secure these important data flows into the future.
It is a privilege to serve under your chairmanship, Mr Streeter. I rise to support my hon. Friend on his excellent, very helpful amendment. Earlier in the week we had a debate about the wisdom of incorporating article 8 into the Bill. I want to underline that we now have two different foundations for privacy that will operate post-Brexit in Europe and in the UK. The law is not fixed in aspect; it is a dynamic body of thought and ideas, and in the years to come there is a risk that courts in Europe and in the UK will diverge in how they interpret those fundamental principles.
That risk is all the more profound in this area of public policy because technology is moving so quickly. Therefore, if the Government wanted to do away with the risk to any future adequacy agreements, they would look for any and every opportunity to create bridges between the EU data protection regime and the British regime. The more bridges that are put in place, and the more girders that yoke us together in this field of public policy, the better.
Companies will consider whether regulatory harmonisation in data protection will continue when they make investment decisions in the technology space in the UK. I am afraid that that is now a fact of economic life. The simpler and faster the Government can help companies take those decisions, by putting beyond dispute and doubt any future adequacy agreement, the better. It is in our common interest to try to create stronger links than the Bill offers. I hope that the Government will accept the amendment.
I thank the Minister for her useful reply. She is right, of course, that the applied GDPR is different from the real GDPR. As I said, I am seeking to establish a beyond-adequacy outcome, which is the Government’s intention, according to their comments on Second Reading.
From other third countries, we know that adequacy decisions look at areas of non-EU competence—we will get into the detail of that later in the context of national security and the ongoing conversations with Canada; we already had a conversation on Tuesday about fundamental rights. Under the regulation, the European Commission has the power to look at the whole legislative environment in a third country, even where it is not an area of EU competence. That is an important point to be clear on.
The relationship may be unique compared with other third countries, but we are in a unique position as we leave the European Union. If we want to have strong, sustainable, ongoing adequacy, it is important that we take steps to establish that.
The Minister seemed to rest her argument on the need to preserve the Information Commissioner’s discretion, which implies that she is trying to protect the commissioner’s ability to go her own way. That will not help us to secure, lock down or nail to the floor an adequacy agreement in years to come. It will put an adequacy agreement at risk.
My right hon. Friend is exactly right. Of course, the Information Commissioner is an excellent commissioner. We are privileged to have Elizabeth in the role here in the UK, not least with her experience, as a Canadian, of being in a third country. That is why I put some flexibility into my amendment—to recognise that situations may arise about which we cannot hypothesise today in which the commissioner will need some flexibility. Under my amendment, she has the power to add modifications that she considers necessary. The Government’s concerns about the lack of flexibility are not reflected in the drafting of my amendment, as I have tried to deal with that.
The idea that the amendment increases the European data protection board’s power is incorrect, because this is UK law, not European Union law. The amendment merely says that we will go only slightly further, with flexibility, by recognising that in the decisions that we want to be a part of—that is a really important point here—and to influence, we will take the obligations as well as the responsibilities, should we be invited to.
(6 years, 9 months ago)
Public Bill CommitteesI am afraid we have heard a very weak argument against new clause 12. The Minister sought to prosecute two lines of argument: first, that new clause 12 risks confusion in the courts; and, secondly, that it is not needed. Let me take each in turn.
First, there can be no risk of confusion because this is not a new right. It is a right we already enjoy today, and our courts are well practised in balancing it with the other rights we enjoy. We are simply seeking to roll over the status quo into the future to put beyond doubt an adequacy agreement not just in the immediate years after we leave the European Union but in the decades that will follow.
Secondly, the Minister sought to persuade us that the new clause was not needed, and she had a couple of different lines of attack. First, she said that the source of our new protections would be the incorporation of EU case law and legislation as enshrined by the European Union (Withdrawal) Bill. Of course, that is simply not applicable to this case, because the one significant part of European legislation that the withdrawal Bill explicitly does not incorporate is the European charter of fundamental rights. The Minister slightly gave the game away when she read out the line in her briefing note that said that the rights we currently have in EU law would be enshrined and protected “so far as it is possible to do so.” That is exactly the kind of risk we are seeking to guard against.
As noble peers argued in the other place, the challenge with incorporating the GDPR into British law is that this is a piece of regulation and legislation that reflects the world of technology as it is today. It is not the first bit of data protection legislation and it will not be the last. At some point in the years to come, there will be a successor piece of legislation to this Bill and the courts’ challenge will be to make judgments that interpret an increasingly outmoded and outdated piece of legislation. We have to ensure that judgments made in the British courts and in the European courts remain in lockstep. If we lose that lockstep, we will jeopardise the future of an adequacy agreement. That will be bad for Britain, bad for British businesses and bad for technology jobs in all our constituencies.
The challenge we have with regulating in this particular field is that sometimes we have to be anticipatory in the way we structure regulations. Anyone who has spent any time with the British FinTech industry, which Ministers are keen to try and enhance, grow and develop for the years to come, will know that FinTech providers need to be able to test and reform bits of regulation in conjunction not only with the Information Commissioner but with other regulators such as the Financial Conduct Authority. For those regulators to be able to guarantee a degree of regulatory certainty, sometimes they will need to look beyond the letter of a particular piece of legislation, such as the Data Protection Bill when it becomes an Act, and reflect on the spirit of that legislation. The spirit is captured best by fundamental rights. The challenge we have is in the thousands of decisions that our regulators must take in the future. How do we put beyond doubt or dispute the preservation of regulatory lockstep with our single most important market next door?
The Uruguayan defence offered by the Minister will reassure few people. We should not be aspiring to the Uruguayan regime; we should be aspiring to something much deeper, more substantive and more harmonious. The Minister’s proposal will create a field day for lawyers. We all like lawyers; some of our Committee members are former lawyers—recovering lawyers in some cases. Lawyers should enjoy a profitable and successful future, but we in this House do not necessarily need to maximise their profit-making possibilities in the future. However, that is exactly what the Minister is doing by creating a pot pourri of legislation, which lawyers and judges will have to pick their way through. It is much simpler, much lower-risk, much safer and better for economic growth if we put beyond doubt, dispute and question the harmonisation of our data protection regime with our single most important market. That is why we need to incorporate article 8.
I have a copy of the general data protection regulation here. Recital 1 on the first page states:
“The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union—”.
Is it not the case, to use some imagery here, that at the moment the GDPR is built on a foundation as on page one of this fundamental right in the same way as a house is built on strong foundations? Are we now not seeking to build the same house but without the foundations? Does this risk us sinking our decision on adequacy?
My hon. Friend is right. He speaks with tremendous knowledge on this particular subject. There is a real risk that one of our most important industries will have its foundations wrecked by the inadequacies of this piece of legislation. There is no risk of confusion, there is no creation of a new and unchecked, unfettered right. We can draw no comfort from the EU (Withdrawal) Bill. There is a great risk of regulatory confusion and divergence over the years to come. I simply cannot understand why the Government would seek to put dogma and not the future protection of the British technology industry first.
This is not a trivial or frivolous issue; it has been put forward by the industry association representing half of technology jobs in this country. I hope that the Committee is persuaded by these arguments. We will seek to prosecute these arguments in a vote, at your discretion, Mr Hanson, but I hope that before we get to that point, the Government will see sense and accept the amendment.
(6 years, 9 months ago)
Public Bill CommitteesI feel for the Under-Secretary, because she is on a bit of a sticky wicket given the Government’s drafting, but does my right hon. Friend agree that it is concerning that I asked twice to be pointed to specifics—I asked first how the pause is drafted in the Bill, and secondly where the word “immigration” appears under article 23 of the GDPR—but on neither occasion was I was pointed to them? We ought also to draw the Committee’s attention to the report on the Bill by the Joint Committee on Human Rights, which states:
“The GDPR does not expressly provide for immigration control as a legitimate ground for exemption.”
My hon. Friend is bang on the money, but perhaps the Under-Secretary can enlighten us.