Read Darren’s account of his third day on the Data Protection Bill Committee

Data Protection Bill: Committee Day Three Report (ICO Powers, Leveson Two, Intelligence Service Data Transfers, Data Value and other issues).

The Data Protection Bill (the “Bill”) applies new EU data protection laws (the General Data Protection Regulation, or “GDPR”) to processes in the UK which EU law has no jurisdiction over, introduces the Law Enforcement Directive for policing and law enforcement powers, and sets out the data protection and privacy rules for the processing of personal data by the secret services (MI5, MI6 and GCHQ). It also provides a legislative “parking space” so that, if the UK leaves the EU, GDPR is copied and pasted into UK law (via the EU Withdrawal Bill) to maintain the same level of laws between the UK and the EU post-Brexit. This is important, because the EU needs to agree that UK laws are adequate in order to allow the continued flow of data between the UK and EU after Brexit.

The Bill arrived in the House of Commons from the House of Lords and, having passed second reading, it is now at committee stage. This line-by-line review of the Bill kicked off last week.

Here’s my report of Day Three. You can read by report of Day One here and of Day Two here.

Another day, another bill committee. Accept this time, day three of the Bill committee kicked off the morning after the night before. Last night, Channel 4 News followed the excellent reporting of the Observer and the New York Times in exposing the dark arts of Cambridge Analytica, including their alleged sucking up of tens of millions of Facebook profiles.

New Information Commissioner Powers

It’s no surprise, then, that the issue of regulatory powers for the Information Commission (the “ICO”) came up today – albeit without sufficient answers from the Government.

I and others had been led to believe from the Secretary of State, Matt Hancock MP, that the Government intended to bring in new powers to help the ICO, following the Cambridge Analytica revelations.

However, to the surprise of many MPs on the bill committee, Digital Minister Margot James MP confirmed that no new powers were being tabled and, to make it worse, additional criminal sanctions for failing to comply with requests from the ICO weren’t being tabled either! This in the face of comments from the ICO herself that pure monetary fines for breaching ICO notices was clearly less of a deterrent than criminal prosecutions (especially to those with deep pockets). It’s right that some new criminal sanctions are being legislated for, but this approach ought to apply in a uniform fashion.

And without want of asking (I think we raised it three times today), the Government failed to set out whether it would seek to make judges available on an emergency basis when the ICO is running against the clock. This would have helped, for example, last night when the ICO had to wait until today to get a warrant to enter the offices of Cambridge Analytica whilst Facebook was able to use its contractual rights to get access before the regulator could (thankfully, Facebook did as it was asked when the ICO told it to stand down).

Leveson Two

Another contentious topic today was the Government’s insistence in closing part two of the Leveson Inquiry (the part that sought to investigate potential breaches of data protection more widely in the newspaper industry and its alleged connections with the police). As our shadow Digital Minister, Liam Byrne MP, made clear: this investigation was promised by the (previous) Prime Minister on the floor of the House, and it seems wholly unsatisfactory for a new Secretary of State (Matt Hancock) to suddenly decide that there is “nothing to see here, guv!”. We opposed the Government in supporting the Lords amendments which sought to instigate Leveson Two, but Conservative MPs voted it down. Leveson Two will therefore not be going ahead – something that, for the many victims of press intrusion, is likely to be deeply sad news.

Further, amendments had been made in the House of Lords to legislate for a re-balance in power between citizens and newspapers, so that when claims are brought against newspapers the claimants do not have to face paying the often-enormous legal fees of the newspaper giants. Unsurprisingly, the Government voted down these amendments too.

Intelligence Services

The final few clauses for the security services aspects of the Bill were voted through today, but with attempts from the Opposition to ensure that proper rights of redress existed following automated decision making, and that international transfers of personal data went only to countries which had been given the data protection stamp of approval.

I re-made my case, in line with comments from the Joint Committee on Human Rights, that if the UK leaves the EU it will no longer be able to rely on the national security exemption under the EU Treaties (namely that national security is a reserved matter for Member States and nothing to do with the EU).

As such, when seeking to secure and maintain adequacy, the EU could post-Brexit look at the whole data protection environment in the UK as a third country. This would mean that any international transfers of the personal data of UK or EU citizens to countries deemed by the EU to be inadequate would risk cancelling our adequacy agreement.

The Home Office Minister, Victoria Atkins MP, made the point that Canada has an adequacy decision but failed to recognise that the European Commission has raised concerns with it about data transfers to the US (which puts Canada’s data adequacy at risk, too). This issue seemed, therefore, to not be of concern to the Government.

I also moved another amendment in my name, which made it clear that UK courts must have “regard” to EU courts in the developing area of data protection law. This would help the UK maintain its adequacy with EU law in the future. However, even though the Minister seemed to agree with all my arguments, the Conservative MPs on the committee voted down my amendment anyway.

Other Issues

We covered lots of other issues today, including new laws for age appropriate design to put extra pressure on companies to build consent and privacy tools that work for children.

We also started a conversation on the value of personal data: an area which I think needs much deeper and more urgent attention. The NHS, for example, is a global treasure trove of health data yet we don’t employ data scientists in the NHS nor do we have formal Government policy on how to ensure full value of that data for the NHS and NHS patients. This is a topic which I’ll return to later in the year through other related work.

And I raised the question with the Minister about the issues of consent, and the new offence of re-identification of de-identified personal data. However, I failed to get a useful response, so we will need to return to this at a later stage.

Finally, I wrote to Margot James MP today to re-assert my concerns with the democratic engagement rule which allows companies to process personal data without consent in the public interest. My concern is that this would have allowed Cambridge Analytica to do what it did. You can read my letter to the Minister here.

I’d better leave it there – but we’re back at it on Thursday for what will probably be the final day. I’ll be moving my new clause which seeks to bring technology ethics on a statutory footing. Given the big ethical questions associated with Cambridge Analytica, I hope the Government supports my new clause!

Darren Jones is the Labour MP for Bristol North West, a member of the EU Scrutiny Select Committee and Science and Technology Select Committee and is currently serving on the Public Bill Committee for the Data Protection Bill. He tweets at @darrenpjones.

, , ,

Darren supports Cystic Fibrosis Trust’s campaign for Orkambi

MP for Bristol North West, Darren Jones has shared his views on access to Orkambi for constituents with Cystic Fibrosis.

Darren said:

“ I sympathise profoundly with anyone affected by Cystic Fibrosis (CF) and I appreciate the strength of support for making Orkambi available on the NHS, this is demonstrated by an online petition signed by  113,000 people.

In July 2016, the National Institute for Health and Care Excellence (NICE) concluded in its final guidance that Orkambi “could not be considered a cost-effective use of NHS resources” and subsequently did not recommend the drug for use on the NHS. I share the disappointment that will have been felt by many at this decision.

I understand that access to the drug Orkambi can extend the lives of 50% of the 10,400 people in the UK who currently live with CF, with this drug already available in Austria, Denmark, France, Germany, Luxembourg, The Netherlands, Italy, the Republic of Ireland, Greece and the United States.

The Government has welcomed dialogue between the pharmaceutical company, Vertex, and NHS England to agree a deal that would make Orkambi available to NHS patients. I know that the Cystic Fibrosis Trust has been working hard in pushing Vertex to put forward a substantive proposal to NHS England.

Parliament will hold a debate on access to Orkambi for people with CF on 19 March 2018. I will follow the debate closely and keep in mind the points my constituents have raised. In the meantime, I believe it is the responsibility of Ministers to facilitate the end of the deadlock between Vertex and NHS England so that people can access this vital drug and see their lives transformed.

At the General Election I stood on a manifesto that pledged to tackle the growing problem of rationing of services and medicines across England. The manifesto also committed to ensuring that all NHS patients get fast access to the most effective new drugs and treatments, and to insist on value-for-money agreements with pharmaceutical companies”.

Watch Darren’s second day on the Data Protection Bill Committee and read his account

Data Protection Bill: Committee Day Two Report (National Security Exemptions, post Brexit data sharing and Collective Redress).

The Data Protection Bill (the “Bill”) applies new EU data protection laws to the UK, adapting them and extending them for the UK legal system. 

The Bill arrived in the House of Commons from the House of Lords and, having passed second reading, it is now at committee stage. This is where a  committee of MPs – including Darren – go through the bill line by line.

Here’s Darren’s report of Day Two. You can read the report of Day One here.

National Security Exemptions

The most contentious issue of the day was the power for exemptions to be granted from data protection and privacy rights for law enforcement purposes, namely due to an issue of national security.

Clearly, no politician wants to put our law enforcers in a position where they can’t do their job. But we on the Opposition benches tried to achieve two outcomes today: first, that broad powers and exemptions have adequate safeguards to keep our laws fit for purpose in the context of quickly advancing technologies; and second, that equivalent oversight exists for the processing of personal data as it does for the collection of it.

The latter of these two points went unanswered by the Government. Under the Investigatory Powers Acts various safeguards and sign offs are required for the collection of personal data by intrusive means (such as the bulk collection of data or the interception of a communication). However, it is this Bill that then provides the rules for what can be done with that data once it’s collected. Oddly, the safeguards under the Investigatory Powers Act are far better than those on the face of this Bill. We tabled amendments to align these, but the Government disagreed.

These safeguards were put into clear context by my colleague Louise Haigh MP (who is our Shadow Home Office Minister), including the increasing use of facial recognition software and the bulk collection of location identifiers using mobile phone data (so called IMSI Catchers, which has been shown by the Bristol Cable to be used in Bristol). When the Government holds facial images for the bulk of the adult population (from passport and driving license photos), when the Government has admitted that the police hold more facial profiles than they have a legal basis to do so, and when we’ve waited years (and we’re still waiting) for the Government’s biometrics strategy, it is perfectly reasonable for the Opposition to raise these issues. Sadly, the Government didn’t agree to any of our amendments.

Lastly, on this topic, the issue of exemptions was also raised, in the context of increasingly sophisticated algorithms being used by law enforcement agencies (including the police). Under the Bill, exemptions can be used to prevent citizens, for example, from opting out of automated decision making (i.e, the use of an algorithm to decide law enforcement issues). The Government responded that it is rare for purely automated processes to be used: human officers will always intervene. In my view, that answer isn’t good enough. With stretched resources, it seems obvious that busy officers will rely on whatever output comes out of these algorithms. And as static algorithms start to transform into artificially intelligence machine learning algorithms it’s safe to say that very few people will have any idea what’s going on inside them. That’s why exemptions from important data protection and privacy rights should be restricted and not broad enough to be used widely. Unfortunately, the report that I am co-producing on the Science and Technology Select Committee into the regulation of algorithms isn’t yet published, but when it is it might give us an opportunity to revisit this issue in debate.

The Government’s position on safeguards and exemptions for law enforcement purposes was weak today, and I’m sure we’ll return to this in more detail (hopefully with some further Government amendments) at Report stage.

“Beyond Adequacy”

The day kicked off with my amendment which sought to tweak the Bill, making the Information Commissioner (the “ICO”) to apply EU derived decisions and guidance on GDPR into UK law (with the flexibility to not do so where she feels it isn’t required). The Government preferred the position that the ICO must have only “regard” for such decisions.

However, in trying to seek a decision of adequacy – that UK law matches EU law – and in seeking to keep that into the future, it’s important that the UK doesn’t diverge from EU data protection laws. The Government has said that it now wants a deal with the EU that is “beyond adequacy” and the Digital Minister Margot James MP told me in the House that this meant have a seat for our ICO at the European Data Protection Board (the “EDPB”) table. But more than that, that our role should be to influence decisions of the EDPB not just to be there to listen. In seeking to secure that, I put it to the Government that it might want to go further than merely having “regard” for EU law and to agree on the face of the Bill that we will meet our obligations and incorporate it. However, the Government disagreed and – whilst I called it to a vote – the Labour and SNP combined vote in favour of my amendment was defeated by the Government.

Watch Darren speak on this topic: 

Collective Redress

Lastly, we on the Opposition benches sought to apply the requirement in the GDPR that groups (such as Which?) could bring “class actions” on behalf of consumers where a breach of data protection law has taken place. The Government tried to ignore this requirement but has since put down an amendment which says these “class actions” can be taken, but only where everyone in the class has “opted in”.

This will make the process pointless, not least because charitable groups or campaign groups which act on behalf of consumers don’t have the resources to find the often tens of millions of people subject to, for example, a data breach. And anyway, this principal already exists in EU law and has been successfully adopted in UK law (in the Consumer Rights Act) without any problems whatsoever.

We failed to understand why the Government decided to not just get on with it, but instead to create a mechanism which isn’t going to work and which will prevent access to justice for millions of UK citizens in this increasing important area.

Conclusions

Other than these main issues, we managed to get through quite a few clauses and amendments which were agreed on a cross party basis. As my colleague Liam Byrne MP, our Shadow Digital Minister, said: the Government is likely to regret not pushing ahead with powers of collective redress given how many large data breaches we’ve already had. Time will tell!

So that’s Day Two down. Three more to go.

Darren Jones is the Labour MP for Bristol North West, a member of the EU Scrutiny Select Committee and Science and Technology Select Committee and is currently serving on the Public Bill Committee for the Data Protection Bill. He tweets at @darrenpjones.

Watch Darren’s first day on the Data Protection Bill Committee and read his account

Data Protection Bill: Committee Day One  (Immigration Control, Fundamental Rights, Children and Democratic Engagement).

The Data Protection Bill (the “Bill”) applies new EU data protection laws to the UK, adapting them and extending them for the UK legal system. 

The Bill arrived in the House of Commons from the House of Lords and, having passed second reading, it is now at committee stage. This is where a  committee of MPs – including Darren – go through the bill line by line.

Darren’s Report:

The Data Protection Bill (the “Bill”) applies new EU data protection laws (the General Data Protection Regulation, or “GDPR”) to processes in the UK which EU law has no jurisdiction over, introduces the Law Enforcement Directive for policing and law enforcement powers, and sets out the data protection and privacy rules for the processing of personal data by the secret services (MI5, MI6 and GCHQ). It also provides a legislative “parking space” so that, if the UK leaves the EU, GDPR is copied and pasted into UK law (via the EU Withdrawal Bill) to maintain the same level of laws between the UK and the EU post-Brexit. This is important, because the EU needs to agree that UK laws are adequate in order to allow the continued flow of data between the UK and EU after Brexit.

The Bill arrived in the House of Commons from the House of Lords and, having passed second reading, it is now at committee stage. This line-by-line review of the Bill kicked off today. Here’s my report of day one.

“Immigration Control”

The most contentious issue of the day was the Government’s power to excuse itself of having to comply with the General Data Protection Regulation (“GDPR”) for the purposes of effective “immigration control”.

The small problem for the Government is that such an exemption doesn’t exist in the GDPR, and – according to the Joint Committee on Human Rights – is a new power for the Home Office compared to the law today (found primarily in the Data Protection Act 1998).

The Home Office Minister – Victoria Atkin MP – did a grand job of trying to sell what is an unnecessary and poorly drafted clause. But there was no hiding from the fact that this exemption has no clear basis in law (or at least not a clear basis which the Minister could point to). In trying to deal with our concerns on the Opposition side, Ms Atkin reassured us that the exemption would only be used for a short period of time (i.e., a citizen’s data protection and privacy rights would only be “paused”). But in failing to answer my question, the Minister was unable to point to any clause in the Bill which restricted its use for a time limited period. If that is the case, it should be set out on the face of the Bill.

It was also made clear that this new exemption would apply to a wide range of citizens – non-EU citizens and EU citizens, but also British citizens connected to migrants. My wife, for example, is Australian and so I assume that I could lose my data protection and privacy rights should the Government wish to use my personal data to check on the effective immigration control of my wife! If that were to happen I would lose pretty much every single right made available to me by the GDPR.

The fact of the matter is that the clause isn’t needed (there are other clauses which allow for exemptions for the management of criminal offences), it’s too broad and – in my view – the Government has no legal basis to introduce it if it wishes to comply with EU law now, and into the future. We will no doubt return to this issue at Report stage.

Fundamental Rights

The other contentious issue of the day was that of fundamental rights: namely rights included within the European Charter of Fundamental Rights (“the Charter”), which the Government seeks to repeal by way of the EU Withdrawal Bill.

GDPR is built on the fundamental rights to privacy and the protection of personal data included in the Charter. And so the Opposition tabled amendments to include, specifically, Article 8 of the Charter on the face of the Bill. This would seek – in our view – to maintain the level of legal protections enjoyed by citizens today and would assist the Government in securing a decision of adequacy with the EU (which would allow us to continue to share data between the UK and the EU after Brexit day). Following debate in the House of Lords, our amendment was further refined to make it clear that the fundamental right was subject to any legal exemptions and derogations in the Bill and the GDPR, and that the Information Commissioner would have the power to enforce that fundamental right.

However, the Government disagreed with this assessment and even though the Department for Exiting the EU confirmed that no other directly comparable right exists in UK law today, it voted down our amendment anyway. What I fail to understand is – but for any example whatsoever of an issue with Article 8 of the Charter today – why the Government feels so strongly about excluding it for the future.

The Bill provides a legislative parking space in which to copy and paste GDPR (which is directly applicable to the UK for as long as we are members of the EU), so that after Brexit day we continue to apply it in the UK. But by seeking to build a replica GDPR without Charter fundamental rights, we are in essence seeking to build a replica house with no foundations. I hope this risk being taken by the Government doesn’t result in our attempts to seek an adequacy decision sinking as soon as we’ve done the building work.

Darren spoke on Fundamental Rights, and post Brexit data arrangements:

Lastly, two final points.

Children and the Age of Consent

Firstly, a short debate took place about the age of consent for the purposes of legal processing of personal data. The EU took the view that children aged under 16 require parental consent, but allowed Member States to make that age as young as 13. In the UK today, the age applied is 12, but the Government has used its right to shift it up one year to 13. That means that children from 13 years of age can consent to handing over their personal data without parental consent.

Whilst I appreciate that some companies are investing time and money into building more children friendly privacy policies and consent mechanisms, I do worry about the fact that our children’s data can be processed (for example, for the purposes of targeted advertising online) without parental consent. 13 seems to me to be too young as a matter of public policy, and so I was pleased that the Digital Minister Margot James MP agreed with me that the Government ought to keep an open mind about regulation in this space in the future. Namely, that when the technology exists to verify the age of children (which exists today for adults but is less easy for children), that we consider voluntary and – if required – legislative means to check the age of users online and to apply suitable protections for them.

Democratic Engagement

Secondly, an amendment was included today which made it clear that data controllers can process personal data without consent if it is for the purposes of “democratic engagement”. This is a clarification in the Bill that the UK Government considers “democratic engagement” to be an example of “public interest” and the exercise of “official duties” by office holders. This would mean that politicians are able to use information on the electoral register, for example, without first seeking the consent of their constituents. Without this right, it would be very hard for parties and politicians to send voters information at election time, for example.

However, I raised a concern with the Minister that people or organisations other than political parties or elected politicians could rely on “democratic engagement” as a “public interest” matter in processing citizens’ data without their consent. I, for example, would not want Leave.EU to start using my personal data without my consent merely because they think they are supporting democratic engagement.

The Minister failed to give me a suitable answer to this, and I will return to it at Report Stage.

Conclusions

These, in my view, were the main contentious issues of the day. The Government passed many sensible amendments to tidy up the Bill, and introduced useful amendments on issues such as the safe guarding of children and the processing of personal data to track ethnic diversity on company boards. We also started the debate on the regulation of algorithms, but we will return to this in more detail in later days.

So that’s Day One down. Four more to go. On Thursday, I will be the first to rise to beg that my amendment be moved, ensuring the UK Government recognises its obligations in adhering to EU law via the European Data Protection Board in the future. Until then!

s.

, ,

Darren questions the government over Severn Bridge traffic

Both the Department of Transport and the Wales Office have failed to assess the increase in car travel in North Bristol following the removal of tolls on the Severn Bridge. Darren questioned the government over this failure.

Watch below:

 

, ,

Darren shares his views on UK aid budget

MP for Bristol North West, Darren Jones has shared his thoughts on maintaining 0.7% of UK gross national income(GNI) for the overseas aid budget.

Darren said:

“ During the 2010-15 Parliament, the UK became the first G7 country to enshrine in law a target to spend 0.7% of GNI on overseas aid and did so with cross-party support. The development and improvements in hundreds of millions of people’s lives that have resulted from this commitment have been a credit to humanity. For example, from 2010-15, British aid supported 11 million children through school and helped more than 60 million people to access clean water, better sanitation and improved hygiene conditions. UK support during the Ebola outbreak in West Africa in 2014, meanwhile, halted the spread of the disease. Such achievements should be a source of pride for everyone in the UK. I therefore remain profoundly committed to spending 0.7% of GNI on overseas aid. 

I share people’s concerns at recent questioning of the UK’s foreign aid budget. It is worrying that, while the Government has committed to maintaining the 0.7% target, its plans also suggest a shift away from the current cross-party consensus on international development. For example, the Government has stated its intention to attempt to change international definitions of development assistance. It has further stated that if it fails to do this, it will change the law to allow it to use its own definition of development assistance. I am concerned that this is an attempt to use overseas aid intended for poverty reduction for things such as security and counter-terrorism, and to plug funding gaps in other departments. 

It is vital that we continue to abide by the Organisation for Economic Cooperation and Development definition of aid and use our overseas assistance to promote the economic development and welfare of developing countries. Abandoning this global standard would undermine the purpose of the 0.7% commitment and send the wrong message to the rest of the world. I will continue to defend the UK’s aid target and press for the correct use of the international aid budget”.

 

, ,

Darren holds debate on waiters and waitresses’ tips

Darren has recently been campaigning on the issue of what happens to tips left at restaurants, following Bristol activists and the Bristol Post raising the issue in relation to Aqua Italia. There, as well as at Turtle Bay, workers were made to pay a percentage of their table orders to restaurants, in case they received tips. This sometimes meant workers were forced to got to a cash-point to pay their employer, as they hadn’t made enough in tips.

You can watch Darren’s full speech in the debate below:

,

7th March Science and Tech committee highlights

The subject for this session was the flu vaccination programme. The witnesses were Professor Paul Cosford, Director for Health Protection and Medical Director, Public Health England, Professor Steve Powis, National Medical Director, NHS England, Professor Jonathan Van-Tam, Deputy Chief Medical Officer, Professor Andrew Pollard, Chair, Joint Committee on Vaccination and Immunisation, and Dr Sue Crossland, President Elect, Society for Acute Medicine.

Watch highlights here:

,

Darren questions David Davis over Airbus leaving

Airbus said that unless there is ‘imminent clarity’ over post Brexit customs arrangements, they might leave the UK. Currently, they provide or support 130,000 jobs in this country. Darren asked David Davis MP, Secretary of State for Exiting the European Union, to provide this clarity. Watch here:

, , ,

Watch Darren question Chancellor Philip Hammond

In European Scrutiny Committee, Darren questioned Philip Hammond on the subject of EU withdrawal and whether the Irish border could move to mainland Britain. Watch here: