Data Protection Bill [Lords] Debate
Full Debate: Read Full DebateMatt Hancock
Main Page: Matt Hancock (Conservative - West Suffolk)Department Debates - View all Matt Hancock's debates with the Department for Digital, Culture, Media & Sport
(6 years, 9 months ago)
Commons ChamberI beg to move, That the Bill be now read a Second time.
This House has a noble track record of working with rather than against technology. Whether it was the Electric Lighting Act 1882, which paved the way for electricity in the 19th century, or the Television Act 1954, which opened up our airwaves to commercial TV broadcasters in the 20th century, we have always helped pioneers to overcome obstacles and to use technology to make life better. The Data Protection Bill will do this, too. It will give people more power and control over their online lives while supporting innovation and entrepreneurship in the digital age, helping to make Britain fit for the future.
The Bill will deliver real benefits across the country, helping our businesses to compete and trade abroad. Strong data protection laws give consumers confidence in the products and services that they buy, and that is good for business, not bad. The Bill provides a full data protection framework as we leave the EU, consistent with the general data protection regulation in EU law. In October, the House debated how our data protection landscape will look after we leave the EU. Members on both sides agreed that the unhindered flow of data between the UK and the EU is vital and in the interests of both. Through today’s Bill, we can make that a reality.
I am grateful to the Secretary of State for his opening remarks about the importance of the House supporting technology. He will know that data drives our economy and society in ways that people can find difficult to follow. The internet of things will increase exponentially the data trail we all leave, but the digital charter suggests only that private companies follow best practice. Does he not recognise the importance of data rights? Why is he not bringing forward a Bill of data rights?
I absolutely do, and the Bill does bring forward the right to the protection of personal data, as I will set out. It is incredibly important to ensure that such rights keep pace with the sort of modern technologies that the hon. Lady—she is extremely well informed on these topics—refers to, such as the internet of things. The Bill will directly address the issue she raises by strengthening citizens’ rights in this new digital era, and I will detail the new rights later.
As digital becomes default in our society, people are trusting businesses and public services with more personal and sensitive data than ever before, including through their personal use of the internet and the internet of things, yet without trust that that data will be properly handled, the digital economy simply cannot succeed. Trust underpins a strong economy, and trust in data underpins a strong digital economy. The Bill will strengthen trust in the use of data by enhancing the control, transparency and security of data for people and businesses across the UK. I will speak to each of these three in turn.
First, on control, the Bill delivers on our commitment in the digital charter to empower citizens to take control of their data—after all, data belongs to citizens even when it is held by others—and sets new standards for protecting data while giving new rights to remove or delete it. Everyone will have the right to make sure that the data held about them is fair and accurate, and held in a way that aligns with rigorous principles.
Is it really accurate to say that everyone will have that right, given the immigration exemption?
Yes, of course. Everyone who is a British citizen will have the right to make sure that data about them is held fairly and accurately, and in alignment with rigorous principles. The hon. and learned Lady raises obliquely the point that the Bill contains important exemptions, including those to allow MPs to act on behalf of constituents as part of their casework, and to ensure that we can properly police our borders. I will come to that in more detail later. Nevertheless, at the heart of the Bill is citizens’ ability to control the data that companies and other organisations hold about them.
Further to the point made by the hon. and learned Member for Edinburgh South West (Joanna Cherry), will the Secretary of State explain the legal basis for the immigration exemption from the general data protection regulation?
Yes, of course. Exemptions from the GDPR are allowed so that necessary activities can be carried out, including that of making sure that a minority of individuals cannot abuse data protection law with the sole intent of undermining immigration controls. That is provided for in the necessary exemptions. I know that this point was debated extensively in the other place, but we firmly believe not only that it is important to ensure that we can control our borders through immigration controls, but that this is provided for in the GDPR.
The Secretary of State says that the immigration exemption is covered by the GDPR, but is he aware of legal opinion saying that the text of parts 1 and 4 of schedule 2 does not in fact reflect the stated permissible exemptions under article 23 of the GDPR? That is independent legal opinion, not mine.
Of course, there are always legal opinions about everything, and our legal opinion is that that is consistent—that is the basis on which we are proceeding. As I am sure the vast majority of Members would agree, it is important that we control our borders.
The Bill provides new data rights, including a stronger right to be forgotten.
I welcome the element of the Bill about the right to be forgotten. I am sure that the Secretary of State is aware that the Digital, Culture, Media and Sport Committee is carrying out an inquiry into fake news, during which this whole issue of data—who owns it, who holds it and who knows what about whom—has come under the spotlight. Can he say how the Bill might help to control that?
Before he does, will the Secretary of State give way?
I will happily respond to both points. Under the Bill, data must be deleted unless there are legitimate grounds for retaining it. The details of what is meant by legitimate grounds will be set out in recitals and then guidance from the Information Commissioner. This is one area in which the right to be forgotten, which has been long dreamt of and thought about, is now being legislated for, and the precise details of where it applies will be set out in guidance, as the Bill states only that there need to be legitimate grounds for retaining data.
Can we be certain that this right to be forgotten will not impede freedom of speech? I am thinking of Max Mosley, of course, and the information that came out on what he said in 1961, which is relevant and pertinent to current debates. We should do nothing that limits the right of a free press.
I wholeheartedly agree with my hon. Friend about not limiting the rights of the free press. He might be aware of amendments that were made in the other place on exactly that issue and that are supported by a number of Members of this House, including, notably, some who are also supported by Max Mosley. I think that we should remove those two provisions. The ability of our press properly to scrutinise is important and should not be undermined in the ways proposed, but I will come to that in more detail later.
The right to be forgotten is an important element of making sure that data is held appropriately and when there are legitimate grounds. The Bill also allows for data portability—a person’s right to transfer their data from one provider to another.
As the Secretary of State is describing, the Bill puts into UK law the EU’s general data protection regulation, which is the right thing to do. I am confident that he would agree that we need to ensure that our data protection rules stay in line with the EU regulation as things develop. Does it trouble him that we will have less influence over the future content of the EU’s rules once we have left it?
I agree that this is a strong set of data protection standards. We intend to stay aligned with the EU standards, not least because they are extraterritorial, which means that anyone wanting to do any business or transactions with EU citizens would have to follow them anyway. There is therefore a very strong case for alignment in this area. Indeed, we have set out that we want the Information Commissioner to remain engaged with the future development of technical standards because we expect the GDPR effectively to become a standard that is increasingly followed around the world by companies that want to engage with the EU, and because we believe that high data protection standards go hand in hand with the capability to innovate and provide for customers. The Prime Minister was, of course, clear about the detail on Friday.
I am afraid that the Secretary of State has not answered the question asked by the right hon. Member for East Ham (Stephen Timms). Is it not true that UK companies will be bound by rules that the EU will decide? Those rules will affect a huge amount of business, but we will have no influence over them after we leave the EU?
I thought I had answered the question—the right hon. Member for East Ham (Stephen Timms) was nodding, so I thought I had at least had a crack at it. As the Prime Minister set out on Friday, and as we set out for the first time last August, we will seek, through the Information Commissioner’s Office, to remain engaged in those technical discussions about the future of the rules. As was proposed in the Conservative party manifesto, the Bill also gives young people the right to have data about them removed once they are 18 years old.
The second element is transparency, which is absolutely vital. All citizens should be able to know what is happening to their data and how it is being used. The Bill requires data controllers to give people information about who controls data, the purpose of processing it, and how long it will be stored. That is especially crucial in a world in which emerging technologies such as artificial intelligence are making increasingly important ethical decisions. The Bill therefore provides powers for the restriction of automated decision making and safeguards for those whose data is used. Our new centre for data ethics and innovation will advise on those safeguards, so that we can promote innovation and respond quickly to changes in technology with clear and transparent guidelines that are based on openness and consent.
The third principle is security. The Bill enhances requirements relating to the security of data and strengthens enforcement for those who do not comply. Data security and innovation go hand in hand, and this move will benefit customers and all responsible businesses. The Data Protection Act 1998 has served us well and placed the UK at the forefront of global data protection standards, but the world has changed since 1998, and the Bill updates the position to make our laws fit for purpose in an increasingly digital economy and society. It modernises many of the offences under the Act and creates new offences to help us to deal with emerging challenges.
The Secretary of State is being very generous in taking interventions. He has probably heard from the National Association of Local Councils, which represents parish and town councils. It has asked that an external data protection officer will not have to be appointed at every council level. There would be a cost of some £3.5 million to the smallest but most relevant authorities, so will the Secretary of State be sympathetic to its request for relief from that onerous responsibility?
I have received representations not only from the National Association of Local Councils, but from the Suffolk Association of Local Councils and many of my own parish councils—including Moulton Parish Council—which do an admirable job in telling me about the pressures facing parish councils throughout the country. I pay tribute to them for their efforts, and for the length of their representations to me.
Of course it is important for parish councils, and other local councils, to follow high-quality data protection standards. The Information Commissioner’s Office has provided extensive guidance to help organisations to prepare for their new responsibilities, and I urge councils to look at it.
The responsibilities of data protection officers—this is relevant to the issue raised by the hon. Gentleman—can be implemented in different ways. For instance, several parish councils can choose to share a single data protection officer, provided that he or she is easily accessible from each establishment. The system does not require the hiring of one person per organisation. Organisations have already been set up to provide this service, and the service itself is important. In the case of a small organisation, such as a very small business or a parish council on a low budget, it is still important for data to be handled and protected carefully, because small organisations too can hold very sensitive personal information. I am extremely sympathetic to the plight of small businesses that must deal with regulation—especially as I come from a small business background myself—but I am also convinced that it is good practice to follow high-quality data protection standards and that it is good for organisations to do so.
I thank my right hon. Friend for giving way. He is being very generous.
I knew that some small businesses in my constituency were concerned about the impact of the GDPR, so I telephoned the Information Commissioner’s Office to find out what support was available to them. The only answer that the office could give to every question that I asked about how the GDPR would affect small businesses was “Go to the website.” Does my right hon. Friend agree that we should expect better from a telephone line that is funded by the taxpayer?
I am glad that there is a telephone line. I am sure that the Information Commissioner will be watching the debate and will hear the plea for clear guidance on how small organisations in particular should implement data protection standards, whether they are small councils or small businesses. However, the Information Commissioner’s Office has already provided clearer guidance, as well as the telephone line. It is obviously listening, with the aim of getting the guidance right and ensuring that, in lay terms, meeting the new standards is straightforward. This issue came up in the other place as well. It is important for us to get the implementation right, especially in the case of small organisations.
The Secretary of State has referred to the right to be forgotten. May I suggest that there might be another right, namely the right to be remembered correctly? All too often, in response to freedom of information requests about, for instance, national security, the Government have imposed a blanket ban on the publication of any information—even many years after the individual concerned has died, when it is pretty difficult to see why there should still be a national security issue. I wonder whether it would not be a good idea for us to have some means of extracting such information in 20, 30, 40 or 50 years’ time.
The Bill does not change the freedom of information regime. However, it does establish a data protection regime relating to intelligence services and national security, about which I shall say more shortly, and which will no doubt be scrutinised by the House. The specific issue of the release of records is not in the scope of the Bill, because it is about the protection of live data rather than the release of records. The 30-year rule has, in the main, been changed to a 20-year rule, but of course there are national security opt-outs, some of which are incredibly important.
Of course there should be national security opt-outs, and when we were changing the rule from 30 to 20 years, I was one of the Ministers who ensured that they were strong. My anxiety is, however, that all too often the security services impose a complete blanket ban, which means that we as a nation are not properly able to understand what happened in the 1930s, 1940s and 1950s. If we were better informed about that, we might be able to make better decisions for our own national security in the future.
I do not wish to labour the point. I too was the Minister responsible for national security releases. All I can say is that that is not within the scope of the Bill, and I think the system works effectively.
As recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care, the Bill creates a new offence of the unlawful re-identification of de-identified personal data. It offers new safeguards for children, including a new code on age-appropriate website design. Currently, the law on parental consent for children on social media is complicated, but in most cases it applies to children up to 12 years old. The Bill provides for consent to be required in the case of children aged up to 13, so that parents have more control but the law is still practical.
The Bill also sets out clearer frameworks for data security—for example, by giving everyone a right to know when their data has been breached. We are strengthening the enforcement powers of the Information Commissioner to reflect a world in which data is held and used in much more sophisticated ways than ever before. Under the Bill, the commissioner can issue substantial penalties of up to 4% of global turnover. When she finds criminality, she can also prosecute. With greater control, greater transparency and greater security for our data, the Bill will help to give us a statute book that is fit for the digital age as we leave the EU.
Let me now touch on some specific areas in a little more detail. This is a forensic Bill with 208 clauses. It covers a vast area of British life, including financial services, sport, the protection of equality and much more. It also includes provisions that will support Members of this House in the work that we do, and it will make it easier for us to take up casework on behalf of our constituents.
The Bill provides for three parallel schemes to protect personal data. First, on general data, which accounts for the vast majority of data processing across all sectors of the economy and the public sector, this part of the Bill works in tandem with the EU’s GDPR, which we have discussed. We know that small businesses need advice on this, and it is important to get right the advice from the Information Commissioner’s Office. It says in my notes that the ICO has a small business helpline, but we have already heard about that in the debate.
I have been contacted by a number of businesses in Taunton Deane that are concerned about the work already placed on them to comply with data protection legislation. Can the Secretary of State confirm that this Bill will not give them a further workload, that it will indeed help those needing to trade in future across Europe and that it should, overall, be a benefit?
That is right. The Bill is structured to be consistent with the EU law elements of GDPR, which automatically apply from 25 May this year, to ensure that the non-EU elements of data protection, with respect to general data processing, national security data and law enforcement data, provide for a full spectrum framework for data protection once we leave the EU. The Bill is designed in such a way that it is as simple as possible for businesses to comply with the data protection standards that will be directly enforced from 25 May anyway. That is why from the point of view of small businesses, it is important that we get this Bill through by 25 May, and we have a fully functioning data protection framework. However, I certainly take on board, and am sympathetic to, the concerns my hon. Friend raises about small businesses and the need to ensure our data system is innovative in the future, and that people can comply with the rules. I hope that satisfies her on the concerns of small businesses in her constituency, as well as those of small councils and indeed small charities, which have to comply as well.
The schemes are designed to make sure the police can keep using and sharing personal data to prevent and investigate crime, to bring offenders to justice and to keep communities safe. Likewise, the Bill makes provisions for the personal data processed by our intelligence agencies, so they can continue to protect our country at a time of heightened terrorist threat. The intelligence services will be part of this new framework under the supervision of the Information Commissioner.
We also want to support the hard-hitting investigative journalism that holds the powerful to account and that we have touched on already—and it is good to see my hon. Friend the Member for North East Somerset (Mr Rees-Mogg) engaging with the digital economy on his smartphone; I am delighted that he welcomes at least some elements of the 21st century. On this point, I want briefly to comment on the proposed clauses inserted by the Lords. I set out our response to the consultation on the future of the Leveson inquiry last week, so I will not set out the arguments again in full this afternoon, but I will say this: the amendments are simply not the answer to today’s problems faced by the media. It has been six years since the Leveson inquiry reported; since then, we have seen the completion of three detailed police investigations, extensive reforms to police practices and some of the most significant changes to press self-regulation in recent times. Meanwhile, the media are facing critical challenges that threaten their sustainability, including fake news, declining circulations and in gaining revenue from online content.
On top of that, the amendments undermine our devolution settlement. The new clauses seek to legislate on a UK-wide basis, despite press regulation being a reserved matter for the devolved Administrations. I hope Scottish National party Members, and indeed all Members, will join me in voting these amendments down.
The Secretary of State is not sounding any more convincing than he did in his statement on Thursday. Failure to proceed with part two of Leveson and section 40 of the Crime and Courts Act 2013 is a disgusting and cowardly betrayal of the victims of media harassment. It does not even leave those victims in the same position as before, because since Leveson the Legal Aid, Sentencing and Punishment of Offenders Act 2012 has hobbled the ability of claimants in privacy and defamation actions to access no-win, no-fee representation. Therefore, section 40 is now the only way to ensure access to justice, which is as helpful to small publishers as it is to citizens. Why does the Secretary of State not put their interests before those of big newspaper groups, instead of currying favour for himself and his weak Government?
We debated this at length on Thursday and discussed the fact that it is vital that we look to what is needed for the media now, to ensure that instead of having a set of proposals that were designed several years ago and that would lead to any claimant being able to claim costs no matter the merits of their case, we have measures that enable our press to be sustainable for the future.
I support the Secretary of State in proposing that these amendments be removed. Like many in this place, I have been on the wrong end of fake news and misrepresentation many times, so I do not do so out of personal interest. I think there is a wider public interest: a free press is an extremely important part of a democracy. The press will not always get it right, but we need to be very careful about the amendments from the Lords.
I wholeheartedly agree with my right hon. Friend.
This Bill is an essential piece of legislation that makes the UK’s data laws among the most effective in the world. This House must never shy away from supporting new technology. The Electric Lighting Act 1882 was considered so important that the House sat on a Saturday to get it through. I hope that will not be necessary this time, but I do hope that the House will adopt similar enthusiasm in backing this Bill. Doing so would support our entrepreneurs in harnessing the value of data, while giving citizens confidence when they go online.
I was pleased a few weeks ago that the Opposition Front-Bench teams in the other place agreed that the Bill was a positive and necessary step. I hope the whole House will agree tonight, and I commend this Bill to the House.
As the hon. Gentleman may or may not know, it is entirely standard to count in that way. The same was done on the questions of equal marriage and of BBC charter reform, because there is a material difference between clicking a button to sign a preformed digital signature and writing in separately. This is how things have been in other big consultations. It is entirely normal, and the full details were set out last Thursday.
The Secretary of State is obviously living in the analogue age if he thinks that he can accept a coupon from The Sun but ignore 200,000 citizens expressing their concern about the inquiry.
I have only one question for the Secretary of State. Will the Government be able to detail what they will do if evidence of wrongdoing is revealed, in particular if editors misled or were partial in their evidence to the original inquiry? We still need Leveson 2, and Sir Brian agrees.
Like my hon. Friend the Member for Cambridge (Daniel Zeichner), who gave an excellent speech a few minutes ago, I will focus my remarks on the data protection aspects of the Bill. The Minister will have seen the press report this morning on research carried out by the Federation of Small Businesses showing that fewer than one in 10 small businesses is fully prepared for the obligations that this legislation imposes on them, and just under one in five has not yet heard of the GDPR. These obligations all take effect at the end of May—in less than three months’ time—so whatever the merits of this Bill, there is clearly a huge amount of work to be done in drawing the attention of those affected to what it means.
Ministers have made some changes to the Bill during its passage through the other place since we last discussed it in this Chamber on 12 October. In that debate, I and others made the point that my hon. Friend the Member for West Bromwich East (Tom Watson) made earlier—that leaving article 8 of the European charter of fundamental rights outside UK law poses a serious threat to our achieving a data adequacy determination from the European Commission in future. I therefore welcome the addition of what is now clause 2, which partly addresses that. However, I do not think it goes far enough, so I will be supporting my hon. Friend’s proposal that article 8 should be added to our statute book. Lord Stevenson tabled an amendment in the other place that said:
“The protection of personal data may not be lawfully restricted or limited unless such restrictions and limitations are consistent with the principle of proportionality.”
That is an important additional protection that ought to be in the Bill. I hope that we will be able to debate that amendment in Committee.
There is some confusion in the Government about all this. The Secretary of State set out how important it is that we keep our UK data regulation aligned with the regulation in the European Union because of the importance to the UK economy of personal data transfers between the UK and the EU. He is absolutely right about that. However, in recent months, the Foreign Secretary and the International Trade Secretary have suggested from time to time that it would be a good thing if the UK could deviate from EU rules on data protection. Last July, for example, the International Trade Secretary said in the United States—I am quoting from a report in the Financial Times—that the UK was more in line with US calls for information to be allowed to flow freely across borders while Germany and other EU countries insist on localisation. He was getting a bit confused about two different things, but he is clearly suggesting in that remark, as in others, that it could be a good thing for the UK to deviate from EU data protection rules. In fact—the Secretary of State is absolutely right about this—it would be a disaster for the UK to deviate from EU data protection regulation, because if the EU were to judge our data protection rules to be inadequate, a large chunk of the UK economy would immediately be without any lawful basis. That could affect exactly the kind of innovative company to which my hon. Friend the Member for Cambridge drew attention—a games company with players all over Europe who, as a part of playing the game, need to be able to send personal data between their country and the European Union.
The right hon. Gentleman has made this point in these debates several times, and I want to reassure him on the Government’s precise position. I stated this in my remarks, not speaking from notes, but let me read to him what the Prime Minister said in her speech on Friday:
“we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.”
So there you have it.
I am grateful to the Secretary of State, and I welcome that commitment on the part of the Prime Minister.
The problem is, however, that the International Trade Secretary and the Foreign Secretary have been saying different. That led to techUK, the industry body, writing to the International Trade Secretary last month to highlight the dangers. This was reported by that reliable publication, The Daily Telegraph, on 19 February, with the headline: “Tech industry warns Ministers not to drop EU security laws”. The report began:
“The British tech industry has issued a stark warning to leading Brexiteer ministers that diverging from EU data protection standards after Brexit will ‘undermine’ the UK’s status as Europe’s leading tech hub.”
The Secretary of State is absolutely right not to have gone down the same road as his right hon. Friends, and I very much welcome what the Prime Minister said about all this on Friday. However, there is clearly a problem in the Cabinet. I gather that after sending that letter, techUK received a reassuring response from the Department, and then a few days later a non-executive director at the Department for International Trade was quoted as saying, “Complying with EU standards on data is not the only solution.” But the truth is that for a large part of the UK economy, it is the only solution. We need to be absolutely clear about this. I am delighted that the Secretary of State is clear about it. Of course, that is why he is bringing this Bill before us and why he has altered it in line with what a number of us said in October.
I hate to take the wind out of the right hon. Gentleman’s sails, but it was unusual to receive that letter from techUK, because rarely as a Minister have I been lobbied so strongly in support of my own position.
I am glad that the Secretary of State has been lobbied in support of his own position, but he needs to watch his back against Ministers who lack the clarity that he has expressed—particularly the International Trade Secretary and the Foreign Secretary, who continue to say that there is merit in divergence. There is no merit in divergence at all. Significant numbers of tech start-ups are already going to Berlin rather than basing themselves in the UK because of the uncertainty about this issue. The more uncertainty there is, fanned by some members of the Cabinet, the greater the economic damage to the UK.
This is a very clear example of the situation we are going to find ourselves in more and more when we have left the European Union. It will be asserted that because of our economic interests, in this case, we should comply with rules drawn up by the European Union—in this case, the general data protection regulation—but we will no longer have a vote about what those rules should be. We will become a rule-taker. I welcome the commitment that the Prime Minister has made to a place for the UK’s Information Commissioner on the European data protection board. That will be helpful. It means that we will at least get a voice in these discussions when the rules are being drawn up—but we will not get a vote. We will be less influential in EU data protection laws than we have been as members of the European Union. We need to recognise that our influence, including over laws that we are going to have to implement ourselves, will be less in future than it has been up to now.
I would very much welcome the Minister telling us—my hon. Friend the Member for Cambridge made this point as well—how, in future, we are going to make adequacy determinations about other countries’ data protection laws. Are we going to adopt the EU list and say that those 12 countries are adequate and others are not, or are we going to have our own processes? How is it going to be done?
I echo the concerns expressed by a number of Members about the threats to our future data adequacy determination that come from the immigration exemption and the national security exemption. Those were not well defended by Ministers in the debates in the other place, and the justification for them is not clear. As others have said, they leave us open to criticisms of our data protection regulations that could threaten our future adequacy determinations. I am very keen to hear the Minister’s response to those concerns in particular.