Matt Hancock
Main Page: Matt Hancock (Conservative - West Suffolk)It normally says at the start of a Minister’s speech in response to an Adjournment debate, “Let me start by thanking the hon. Member for securing this important debate,” and this time I really mean it, because this is an important subject. Although the hon. Member for Cambridge (Daniel Zeichner) and I sit on opposite sides of the House, we have a similar interest in the subject and want to go in a similar direction in terms of the data protection regime that applies in the UK. We also share a common understanding of the value of data in a digital economy.
That does not surprise me, because the hon. Gentleman is not only an expert in his own right, but as MP for Cambridge he represents one of the most data-rich constituencies in the country. It is very good to see continuing investment in tech companies in Cambridge, including after 23 June. In fact, one of the biggest foreign investments in any British company ever was the investment in ARM Holdings based in Cambridge in July this year. That was a vote of confidence in British tech post-referendum, and since then we have seen investment decisions intrinsically based on the strength of our data systems, by companies such as Google, Facebook, Apple, Microsoft, IBM and others, all of whom have made significant investment decisions into the UK post-Brexit. We have been clear that the general data protection regulation will apply in the UK from May 2018. We fully expect still to be in the EU at that point. That is why we have announced that we will ensure that the GDPR will apply in the UK from then.
The information rights landscape has evolved rapidly in the past decade, as the hon. Gentleman set out. The ability to collect, share and process data is critical to success in today’s digital global society. It is right to update our data protection regime not only because we will still be in the EU, but because it is time to update it, given the enormous changes that have taken place.
We were clear in the negotiations on the GDPR that any new data protection legislation needs to meet the need for high standards of protection for individuals’ personal data while not placing disproportionate burdens on businesses and organisations. The UK was successful in negotiating a more risk-based approach to the GDPR, allowing for greater flexibility in relation to the regulation’s mandatory requirements, such as on data protection impact assessments and data protection officers. We want a scheme that works effectively, protects data and is flexible to ensure that our data economy thrives. Therefore, we were successful in negotiating a reduction in some of the red tape and bureaucracy for ordinary businesses whose primary activities are not data processing but who have data that need to be protected. We succeeded in the negotiations to give greater discretion to the UK’s Information Commissioner in the way it enforces breaches of the regulation.
The new rules will strengthen rights and empower individuals to have more control over their personal data, for example, by providing individuals with greater access to their personal data and information on how their data are being used, and a new right to data portability, making it easier to transfer personal data between service providers. In addition, the GDPR provides important new safeguards, including new fines of up to 4% of an organisation’s annual global turnover, or €20 million, in the most serious cases of breaches of the regulation. Therefore, this is an important call to action for businesses to offer individuals assurances that their data are protected.
The hon. Gentleman asked a series of questions about the implementation of the GDPR. We now need to press ahead with implementation. It will become directly applicable in UK law on 25 May 2018, but a lot of preparatory work needs to be done in the meantime, both in government and by businesses throughout the country. We are now working on the overall approach and the details of that implementation. Details of any new legislation in this area will be made in due course and announced in the normal way, but I can tell him that we are considering these matters in great detail as we speak.
It is important for businesses and organisations to prepare now for the new standards of data processing. A lot of work has already taken place, but there is much for businesses to do to ensure that their processes and practices are aligned with the GDPR. The Information Commissioner is providing regular updates on the steps that organisations and individuals should take to prepare for the new legal framework and will continue to provide guidance over the next few months. We plan to consult with stakeholders on key measures where we have the opportunity to apply flexibilities, which the hon. Gentleman mentioned, in the regulation to maximise and to protect our domestic interests and to get the balance right between delivering the protection that people need and ensuring that the regulation operates in a way that ensures that the UK’s data economy can be highly successful. For example, one measure will be on what the age of consent should be for children who wish to access information services. We want a data protection framework that works best for the UK and meets our needs. Those consultations will be forthcoming.
The hon. Gentleman also asked about the issue of adequacy and the need for our data protection regime to be interoperable with data regimes around the world. It is a question of our data relationship not only with the European Union, but with other countries, too, because the data economy is truly global. We have made progress in our argument within the EU that data localisation rules are not appropriate. That is a live issue in the EU at the moment. There is also work to be done between now and 2018 to make sure that we achieve a coherent data protection regime and that data flows with the EU are not interrupted after we leave. The Government are considering all options for the most beneficial way of ensuring that the UK’s data protection regime continues to build a culture of data confidence and trust that safeguards citizens and supports businesses in a global data economy.
Without having been able to prejudge the publication of consultations and of legislative plans, I hope that I can reassure the hon. Gentleman and the tech industry in the UK that we are doing all we can to ensure that our future data standards are of the very highest quality, including their international links, and that we get the balance right between ensuring the high levels of protection that individuals and companies need and ought to expect with the appropriate levels of flexibility to make sure that our data economy can be one of the strongest in the world.
The Minister is making a deft response and I am listening closely to him. Could he say more about the impact of the Investigatory Powers Act 2016, which has been raised, and the difficulty that it might present to achieving an adequacy agreement?
I was about to come on to that issue, which was raised in the Digital Economy Bill Committee. The Bill includes important data-sharing arrangements, supported by the Labour Government in Wales, to improve public services and other things by ensuring that data are appropriately shared. Those sharing arrangements will still be protected by the data protection regime. The Bill is drafted according to the current law, which is the Data Protection Act. It is not possible to draft legislation in anticipation of future legislation; that is not how the body of legislation works. If and when legislation is proposed to amend an existing system such as the Data Protection Act, one would expect it to include an amendment to the Digital Economy Bill, should this Parliament enact it, in order to make it consistent. That is how legislation is made in the UK. It is neither possible nor logically sensible to legislate in anticipation of future legislation, even if we fully expect it to come into force. All of the existing statute and the Digital Economy Bill, which is currently before the other place, are drafted with reference to the existing regime because the Bill will come into force before the expected future regime comes into existence in 2018.
That explanation may have been more convoluted than it needed to be, but I hope it shows why the Bill—and, indeed, other recent legislation—is drafted in that way. I have heard the complaints, but they simply miss the point of how legislation is made and framed. I hope that that answers the hon. Gentleman’s question and that he is reassured that we are working to implement a modern and effective data protection framework, fit for purpose for the digital age. I welcome his input.
Question put and agreed to.