(6 years, 9 months ago)
Public Bill CommitteesAbsolutely. That is why the European Commission has been working on it for so long. Today’s legislation incorporates a bit of European legislation into British law.
The crime that may have been committed is the international transfer of data. It is highly likely that data collected here in the UK was transferred to the United States and deployed—weaponised, in a way—in a political campaign in the United States. It is not clear that that is legal.
The scandal has knocked about $40 billion off the value of Facebook. I noted with interest that Mr Zuckerberg dumped a whole load of Facebook stock the weekend before the revelations on Monday and Tuesday, and no doubt his shareholders will want to hold him to account for that decision. I read his statement when it finally materialised on Facebook last night, and it concerned me that there was not one word of apology to Facebook users in it. There was an acknowledgement that there had been a massive data breach and a breach of trust, but there was not a single word of apology for what had happened or for Facebook basically facilitating and enabling it. That tells me that we simply will not be able to rely on Facebook self-policing adherence to data protection policies.
The hon. Member for Hornchurch and Upminster is absolutely right—that is why the Bill is absolutely necessary—but the question about the clause is whether the sanctions for misbehaviour are tough enough. Of the two or three things that concerned me most this week, one was how on earth it took the Information Commissioner so long to get the warrant she wanted to search the Cambridge Analytica offices. The Minister may want to say a word about whether that warrant has now been issued. That time lag begs the question whether there is a better way of giving the Information Commissioner the power to conduct such investigations. As we rehearsed in an earlier sitting, the proposed sanctions are financial, but the reality is that many of Cambridge Analytica’s clients are not short of cash—they are not short of loose change—so even the proposed new fines are not necessarily significant enough.
I say that because we know that the companies that contract with organisations such as Cambridge Analytica are often shell companies, so a fine that is cast as a percentage of turnover is not necessarily a sufficient disincentive for people to break the law. That is why I ask the Minister again to consider reviewing the clause and to ask herself, her officials and her Government colleagues whether we should consider a sanction of a custodial sentence where people get in the way of an investigation by the Information Commissioner’s Office.
I am afraid that such activities will continue. I very much hope that the Secretary of State for Digital, Culture, Media and Sport reflects on our exchange on the Floor of the House this morning and uses the information he has about public contracts to do a little more work to expose who is in the network of individuals associated with Cambridge Analytica and where other companies may be implicated in this scandal. We know, because it has said so, that Cambridge Analytica is in effect a shell company—it is in effect a wholly owned subsidiary of SCL Elections Ltd—but we also know that it has an intellectual property sharing agreement with other companies, such as AggregateIQ. Mr Alexander Nix, because he signed the non-disclosure agreement, was aware of that. There are relationships between companies around Cambridge Analytica that extend far and wide. I mentioned this morning that I am concerned that the Foreign and Commonwealth Office may be bringing some of them together for its computational propaganda conference somewhere in the countryside this weekend.
The point I really want the Minister to address is whether she is absolutely content that the sanctions proposed under the clause are sufficient to deter and prosecute the kind of misbehaviour, albeit still only alleged, that has been in the news this week, which raises real concerns.
I will be very brief, because I will largely echo what the right hon. Member for Birmingham, Hodge Hill said. It is absolutely fair to say that our understanding of the potential value of personal information, including that gained by people who break data protection laws, has increased exponentially in recent times, as has our understanding of the damage that can be done to victims of such breaches. I agree that it is not easy to see why the proposed offences stop where they do.
I have a specific question about why there is a two-tier system of penalties. There is a set of offences that are triable only in a summary court and for which there is a maximum fine. I think the maximum in Scotland and Northern Ireland is £5,000. There is a second set of offences that could conceivably be triable on indictment, and there is provision there for an unlimited fine, but not any custodial sentence.
For some companies, if they were in trouble, a £5,000 fine for essentially obstructing justice would be small beer, especially if it allowed them to avoid an unlimited fine. It would be interesting to hear an explanation for that. Many folk would see some of the offences that are triable on indictment as morally equivalent to embezzlement, serious theft or serious fraud, so it is legitimate to ask why there is no option for a custodial sentence in any circumstance.
I certainly share the concerns that hon. Members have expressed in the light of the dreadful Cambridge Analytica scandal. I will set out the penalties for summary only offences, which lie in clause 119, “Inspection of personal data in accordance with international obligations”; clause 173, “Alteration etc of personal data to prevent disclosure”; and paragraph 15(1) of schedule 15, which contains the offence of obstructing the execution of a warrant. The maximum penalty on summary conviction for those offences is an unlimited fine in England and Wales or a level 5 fine in Scotland and Northern Ireland.
Clause 189(2) sets out the maximum penalties for offences that can be tried summarily on indictment, which include offences in clause 132 “Confidentiality of information”; clause 145 “False statements made in response to an information notice”; clause 170 “Unlawful obtaining etc of personal data”; clause 171 “Re-identification of de-identified personal data”; and clause 181 “Prohibition of requirement to produce relevant records”. Again, the maximum penalty when tried summarily in England or Wales, or on indictment, is an unlimited fine. In Scotland and Northern Ireland, the maximum penalty on summary conviction is a fine
“not exceeding the statutory maximum”
of an unlimited fine when tried on indictment.
(6 years, 9 months ago)
Public Bill CommitteesI am grateful to my hon. Friend the Member for Edinburgh South for keeping me warm and enthused.
The amendment is important. None of us wants to damage the right and power of whistleblowers to bring important information into the public domain, sometimes to the attention of regulators, sometimes to the attention of organisations, such as the Health and Safety Executive, and sometimes to the attention of Members. Over the years, we have put in place a good regime in order to ensure that whistleblowers are afforded protections that allow them to come forward with information that is in the public interest.
The reason we have to consider that now is that data protection legislation is being strengthened by the incorporation of GDPR into British law. However, the risk is that the ambiguities that frame the protection of whistleblowers in the Bill are such that many are concerned that whistleblowers will not be given the right protection against data protection legislation.
The Government recognise that it is important to protect whistleblowers. There is a protection in clause 170 for whistleblowers bringing forward information that is
“justified as being in the public interest.”
The argument put to us by Public Concern at Work and others is that that approach is unlikely to be effective. We are told that there will be a new test in law, which will therefore require guidance from the courts. Until that time, the precise meaning will obviously be a bit moot, and the scope of the situations that the Government seek to protect will remain a little uncertain. That uncertainty and ambiguity will jeopardise an individual who might have something important to bring to the attention of the outside world.
Exceptions to violations in personal data confidentiality were recently considered by the Government in section 58 of the Digital Economy Act 2017, which provided a far more comprehensive list of exceptions. Where there is overlap between the Bill and the Digital Economy Act, it appears that the Act deals much more satisfactorily with whistleblowers.
I remind the Committee that section 58 of the Act says that the offence does not apply to a disclosure
“which is a protected disclosure for any of the purposes of the Employment Rights Act 1996 or the Employment Rights (Northern Ireland) Order 1996”.
We therefore have a pretty well established and grounded definition of exceptions. Indeed, it was so well defined and grounded that the Government decided to use that definition in the 2017 Act. It is not clear why the Bill seeks to create alternative definitions and therefore the need for alternative tests and guidance in the courts when we have a definition we can rely on.
The Opposition amendment would return us to what we think was sensible drafting in the Digital Economy Act. That Act is not ancient history—it was only 12 months ago. Otherwise, the risk is that the Government, employers, courts and trade unions will get into an awful muddle as they try to understand which legislation protects whistleblowers in new circumstances. None of us wants to create a situation of uncertainty and ambiguity that stops whistleblowers from coming forward with important information.
I therefore hope we can have a useful debate about why the Government have chosen to introduce new definitions when it is not clear that they are improvements on well-established employment law that dates back to the Employment Rights Act 1996. Let us hear what the Minister has to say, but I hope the Government reflect on the arguments we rehearse this afternoon and introduce further enhancements and perfections on Report.
The right hon. Gentleman is correct: it is essential that we do not create an offence in the clause that will snare whistleblowers. I am sure the Committee shares that goal. Indeed, if we created such an offence, whistleblowers would no longer be whistleblowers—a qualifying disclosure would no longer be a qualifying disclosure if it were an offence under different legislation, including the Bill.
We will listen carefully to what the Minister says, but, to come at it from a slightly different angle, as I understand it, the Employment Rights Act currently requires a “reasonable belief” by the worker making the whistleblowing disclosure that it is in the public interest to disclose that information. That seems a slightly easier test than the one contained in a defence in subsection (2) of the clause, which requires not a “reasonable belief”—those words do not appear—but proof that disclosure was justified in the public interest. There is also a contrast with subsection (3), where a reasonable belief test is applied to a defence but only in circumstances of publication of either journalistic, artistic or literary material.
It is not clear to me why there is a reasonable belief test in subsection (3) but not in subsection (2). I am interested to hear what the Minister has to say about that distinction.
(6 years, 9 months ago)
Public Bill CommitteesI rise briefly to support my hon. Friend’s excellent speech. The ambition of Opposition Members on the Committee is to ensure that the Government have in place a strong and stable framework for data protection over the coming years. Each of us, at different times in our constituencies, have had the frustration of working with either local police or their partners and bumping into bits of regulation or various procedures that we think inhibit them from doing their job. We know that at the moment there is a rapid transformation of policing methods. We know that the police have been forced into that position, because of the pressure on their resources. We know that there are police forces around the world beginning to trial what is sometimes called predictive policing or predictive public services, whereby, through analysis of significant data patterns, they can proactively deploy police in a particular way and at a particular time. All these things have a good chance of making our country safer, bringing down the rate of crime and increasing the level of justice in our country.
The risk is that if the police lack a good, clear legal framework that is simple and easy to use, very often sensible police, and in particular nervous and cautious police and crime commissioners, will err on the side of caution and actually prohibit a particular kind of operational innovation, because they think the law is too muddy, complex and prone to a risk of challenge. My hon. Friend has given a number of really good examples. The automatic number plate recognition database is another good example of mass data collection and storage in a way that is not especially legal, and where we have waited an awfully long time for even something as simple as a code of practice that might actually put the process and the practice on a more sustainable footing. Unless the Government take on board my hon. Friend’s proposed amendments, we will be shackling the police, stopping them from embarking on many of the operational innovations that they need to start getting into if they are to do their job in keeping us safe.
I will speak briefly in support of amendments 142 to 149, as well as new clauses 3 and 4. As it stands, clause 64 requires law enforcement data controllers to undertake a data protection impact assessment if
“a type of processing is likely to result in a high risk to the rights and freedoms of individuals”.
That assessment would look at the impact of the envisaged processing operations on the protection of personal data and at the degree of risk, measures to address those risks and possible safeguards. If the impact assessment showed a high risk, the controller would have to consult the commissioner under clause 65.
It is important to be clear that the assessment relates to a type of processing. Nobody is asking anyone to undertake an impact assessment every time the processing occurs. With that in mind, the lower threshold for undertaking an assessment suggested in the amendments seems appropriate. We should be guarding not just against probable or high risks, but against any real risk. The worry is that if we do not put these tests in place, new forms of processing are not going to be appropriately scrutinised. We have had the example of facial recognition technology, which is an appropriate one.
New clauses 3 and 4 do a similar job for the intelligence services in part 4, so they also have our support.
(6 years, 9 months ago)
Public Bill CommitteesThis morning we had a discussion about some of the Henry VIII clauses contained in the Bill. In essence, I said that when we are talking about personal information—particularly, in such circumstances, sensitive personal information—there should be a strong presumption against Henry VIII clauses, with the onus being on the Government to justify why delegated legislation is the appropriate way to make changes to our data protection rules.
Throughout the passage of the Bill we will continue to challenge the Government to justify delegated powers proposed under the Bill. This clause is the next example of that arising, so in our view it falls on the Minister to explain why she seeks delegated authority to exercise certain functions under the GDPR. I look forward to hearing what she has to say.
We agree that the clause offers Ministers a rather sweeping power to introduce new regulations. Over the course of what has been quite a short day in Committee we have heard many reasons to be alarmed about equipping Ministers with such sweeping powers. We proposed an amendment to remove the clause, which I think was not selected because we have this stand part debate. What we need to hear from the Minister are some pretty good arguments as to why Ministers should be given unfettered power to introduce such regulations without the effective scrutiny and oversight of right hon. and hon. Members in this House.