(1 year, 7 months ago)
Commons ChamberIt is good finally to get the data Bill that was promised so long ago. We nearly got there in the halcyon days of September 2022, under the last Prime Minister, after it had been promised by the Prime Minister before. However, the Minister has a strong record of bringing forward and delivering things that the Government have long promised. I also know that she has another special delivery coming soon, which I very much welcome and wish her all the best with. She took a lot of interventions and I commend her for all that bobbing up and down while so heavily pregnant. I would also like to send my best wishes to the Secretary of State, who let me know that she could not be here today. I would also like to wish her well with her imminent arrival. There is lots of delivery going on today.
We are in the midst of a digital and data revolution, with data increasingly being the most prized asset and fundamental to the digital age, but this Bill, for all its hype, fails to meet that moment. Even since the Bill first appeared on the Order Paper last September, AI chatbots have become mainstream, TikTok has been fined for data breaches and banned from Government devices, and AI image generators have fooled the world into thinking that the Pope had a special papal puffer coat. The world, the economy, public services and the way we live and communicate are changing fast. Despite these revolutions, this data Bill does not rise to the challenges. Instead, it tweaks around the edges of GDPR, making an already dense set of privacy rules even more complex.
The UK can be a global leader in the technologies of the future. We are a scientific superpower, we have some of the world’s best creative industries and now, outside the two big trading blocs, we could have the opportunities of nimbleness and being in the vanguard of world-leading regulation. In order to harness that potential, however, we need a Government who are on the pitch, setting the rules of the game and ensuring that the benefits of new advances are felt by all of us and not just by a handful of companies. The Prime Minister can tell us again how much he loves maths, but without taking the necessary steps to support the data and digital economy, his sums just do not add up.
The contents of this Bill might seem technical—as drafted, they are incredibly technical—but they matter greatly to every business, consumer, citizen and organisation. As such, data is a significant source of power and value. It shapes the relationship between business and consumers, between the state and citizens, and much, much more. Data information is critical to innovation and economic growth, to modern public services, to democratic accountability and to transforming societies, if harnessed and shaped in the interest of the many, not simply the few—pretty major, I would say.
Now we have left the EU, the UK has an opportunity to lead the world in this area. The next generation of world-leading regulation could allow small businesses and start-ups to compete with the monopolies in big tech, as we have already heard. It could foster a climate of open data, enable public services to use and share data for improved outcomes, and empower consumers and workers to have control over how their data is used. In the face of this huge challenge, the Bill is at best a missed opportunity, and at worst adds another complicated and uncertain layer of bureaucracy. Although we do not disagree with its aims, there are serious questions about whether the Bill will, in practice, achieve them.
Data reform and new regulation are welcome and long overdue. Now that we have left the EU, we need new legislation to ensure that we both keep pace with new developments and make the most of the opportunities. The Government listened to some of the concerns raised in response to the consultation and removed most of the controversial and damaging proposals. GDPR has been hard to follow for some businesses, especially small businesses and start-ups, so streamlining and simplifying data protection rules is a welcome aim. However, we will still need some of them to meet EU data adequacy rules.
The aim of shifting away from tick-box exercises towards a more proactive and systematic approach to regulation is also good. Better and easier data sharing between public services is essential, and some of the changes in that area are welcome, although we will need assurances that private companies will not benefit commercially from personal health data without people’s say so. Finally, nobody likes nuisance calls or constant cookie banners, and the moves to reduce or remove them are welcome, although there are questions about whether the Bill lives up to the rhetoric.
In many areas, however, the Bill threatens to take us backwards. First, it may threaten our ability to share data with the EU, which would be seriously bad for business. Given the astronomical cost to British businesses should data adequacy with the EU be lost, businesses and others are rightly looking for more reassurances that the Bill will not threaten these arrangements. The EU has already said that the vast expansion of the Secretary of State’s powers, among other things, may put the agreement in doubt. If this were to come to pass, the additional burdens on any business operating within the EU, even vaguely, would be enormous.
British businesses, especially small businesses, have faced crisis after crisis. Many only just survived through covid and are now facing rising energy bills that threaten to push them over the edge. According to the Information Commissioner,
“most organisations we spoke to had a plea for continuity.”
The Government must go further on this.
Secondly, the complex new requirements in this 300-page Bill threaten to add more hurdles, rather than streamlining the process. Businesses have serious concerns that, having finally got their head around GDPR, they will now have to comply with both GDPR and all the new regulations in this Bill. That is not cutting red tape, in my view.
Thirdly, the Bill undermines individual rights. Many of the areas in which the Bill moves away from GDPR threaten to reduce protection for citizens, making it harder to hold to account the big companies that process and sell our data. Subject access requests are being diluted, as the Government are handing more power to companies to refuse such requests on the grounds of being excessive or vexatious. They are tilting the rules in favour of the companies that are processing our data. Data protection impact assessments will no longer be needed, and protections against automated decision making are being weakened.
AlgorithmWatch explains that automated decision making is “never neutral.” Outputs are determined by the quality of the data that is put into the system, whether that data is fair or biased. Machine learning will propagate and enhance those differences, and unfortunately it already has. Is my hon. Friend concerned that the Bill removes important GDPR safeguards that protect the public from algorithmic bias and discrimination and, worse, provides Henry VIII powers that will allow the Secretary of State to make sweeping regulations on whether meaningful human intervention is required at all in these systems?
My hon. Friend makes two very good points, and I agree with her on both. I will address both points in my speech.
Taken together, these changes, alongside the Secretary of State’s sweeping new powers, will tip the balance away from individuals and workers towards companies, which will be able to collect far more data for many more purposes. For example, the Bill could have a huge impact on workers’ rights. There are ever more ways of tracking workers, from algorithmic management to recruitment by AI. People are even being line managed by AI, with holiday allocation, the assignment of roles and the determination of performance being decided by algorithm. This is most serious when a low rating triggers discipline or dismissal. Transparency and accountability are particularly important given the power imbalance between some employers and workers, but the Bill threatens to undermine them.
If a person does not even know that surveillance or algorithms are being used to determine their performance, they cannot challenge it. If their privacy is being infringed to monitor their work, that is a harm in itself. If a worker’s data is being monetised by their company, they might not even know about it, let alone see a cut. The Bill, in its current form, undermines workers’ ability to find out what data is held about them and how it is being used. The Government should look at this again.
The main problem, however, is not what is in the Bill but, rather, what is not. Although privacy is, of course, a key issue in data regulation, it is not the only issue. Seeing regulation only through the lens of privacy can obscure all the ways that data can be used and can impact on communities. In modern data processing, our data is not only used to make decisions about us individually but pooled together to analyse trends and predict behaviours across a whole population. Using huge amounts of data, companies can predict and influence our behaviour. From Netflix recommendations to recent examples of surge pricing in music and sports ticketing, to the monitoring of covid outbreaks, the true power of data is in how it can be analysed and deployed. This means the impact as well as the potential harms of data are felt well beyond the individual level.
Moreover, as we heard from my hon. Friend the Member for Salford and Eccles (Rebecca Long Bailey), the algorithms that analyse data often replicate and further entrench society’s biases. Facial recognition that is trained on mostly white faces will more likely misidentify a black face—something that I know the parliamentary channel sometimes struggles with. AI language bots produce results that reflect the biases and limitations of their creators and the data on which they are trained. This Bill does not take on any of these community and societal harms. Who is responsible when the different ways of collecting and using data harm certain groups or society as a whole?
As well as the harms, data analytics offers huge opportunities for public good, as we have heard. Opening up data can ensure that scientists, public services, small businesses and citizens can use data to improve all our lives. For example, Greater Manchester has, over the years, linked data across a multitude of public services to hugely improve our early years services, but this was done entirely locally and in the face of huge barriers. Making systems and platforms interoperable could ensure that consumers can switch services to find the best deal, and it could support smaller businesses to compete with existing giants.
Establishing infrastructure such as a national research cloud and data trusts could help small businesses and not-for-profit organisations access data and compete with the giants. Citymapper is a great example, as it used Transport for London’s open data to build a competitor to Google Maps in London. Open approaches to data will also provide better oversight of how companies use algorithms, and of the impact on the rest of us.
Finally, where are the measures to boost public trust? After the debacle of the exam algorithms and the mishandling of GP data, which led millions of people to withdraw their consent, and with workers feeling the brunt but none of the benefits of surveillance and performance management, we are facing a crisis in public trust. Rather than increasing control over and participation in how our data is used, the Bill is removing even the narrow privacy-based protections we already have. In all those regards, it is a huge missed opportunity.
To conclude, with algorithms increasingly making important decisions about how we live and work, data protection has become ever more important to ensure that people have knowledge, control, confidence and trust in how and why data is being used. A data Bill is needed, but we need one that looks towards the future and harnesses the potential of data to grow our economy and improve our lives. Instead, this piecemeal Bill tinkers around the edges, weakens our existing data protection regime and could put our EU adequacy agreement at risk. We look forward to addressing some of those serious shortcomings in Committee.