Darren speaks in the House of Commons about Data post Brexit

On Thursday I emphasised Brexit’s danger to trade, in both goods and data. This has implications for our economy and our safety.
 
Watch the full video here – 

Read the full speech here:

I declare my interest as set out in the Register of Members’ Financial Interests. I pay tribute to my hon. Friend Matt Western for the excellent curry in his constituency. As one of the few vegan MPs, I will happily visit and partake of the curried tofu if there is a vegan option; perhaps it will be better than that served in the Members’ Tea Room, grateful though I am for the option.

I was somewhat confused when I saw this debate on the Order Paper, not least because the Data Protection Bill is in the other place and scheduled to arrive here in due course, as the title was, “Exiting the European Union and Data Protection”. I therefore came with great hope—indeed, hope is the watchword of today—that the debate might be about some updates on how we will seek an agreement on adequacy with the European Union. Given that we are relying on hope and on some form of adequacy agreement—to proceed without an adequacy agreement would be, much like the rest of the Brexit policy, completely incoherent—I hope that the Minister will keep us posted on the progress that is being made towards an agreement, the timelines for doing so and the headway made in conversations about it.

We have a very short period in which to implement complicated and wide-ranging new laws. The Data Protection Bill, as we have heard today, incorporates not just GDPR issues for non-EU areas of competency, but matters of law enforcement and other things that have wide-ranging implications for our country and our laws. Those things must fit around the GDPR, which, as I said in my earlier intervention, will probably become law through a statutory instrument under the European Union (Withdrawal) Bill. I restate my ask of the Government that we should have the opportunity to debate that statutory instrument in substance in this House, not least because some of its important provisions require debate to guide businesses in my constituency and across the country on their application. An example concerns the right to human intervention when a decision has been made using profiling and automated processes—things such as algorithms. Many of my hon. Friends and other members of the Select Committee on Science and Technology will be looking at that issue, but some have grave concern about whether, when we bring in machine learning and changing algorithms, it is even possible to deliver the right to human intervention.

The Bill, which already covers many areas of law, is the start of a wider conversation that includes the network and information security directive and—to go to the important question of marketing, which my right hon. Friend Stephen Timms spoke about—the e-privacy regulation. How will those fit together? How will businesses, charities and other organisations, many of which do not have rooms full of lawyers and compliance specialists to help them to implement the law, know how everything fits together?

The Prime Minister and—dare I say?—her most ill-informed Brexiteer MPs seem happy with the idea of a no-deal hard Brexit. Many people can visualise lorries on the border, unable to export British goods to the continent. The same would be true for data. With a hard Brexit, there would be a standstill, and there would be blockages on the border for data. Much as with the goods in those trucks in Dover and in the port of Avonmouth in Bristol North West, that would be a disaster for business, consumers and importantly, as we have heard, for policing and the prevention of criminal activity.

I agree with that sentiment. Dare I say it, but very few Government Members are present? Although my right hon. Friend the Member for East Ham said this may be an anorak issue, it is in fact crucial to our economy, our new civil liberties and the type of country we want to live in. We should be having such a debate, and I again restate our request that we should do so in this House not only on the Data Protection Bill, but on the GDPR statutory instrument.

I am looking forward to the Data Protection Bill and I am excited about the Committee stage, but I will take this opportunity to address some of the strategic issues that many Members have mentioned: first, the basis of data protection law in the European charter of fundamental rights, on which I will not revisit the arguments already made but will, I hope, add something interesting and new to the debate; secondly, the incoherence between the necessity to mirror EU law and the Government’s illogical policy approach on Brexit; and lastly, the rights and protections of children.

First, as we have heard in this debate, the Government have made it clear that the European charter of fundamental rights will be revoked under the European Union (Withdrawal) Bill. The Minister said that the GDPR in effect says the same thing, but article 8 of the charter, which underpins the GDPR, is referenced in article 45 of the GDPR. If the GDPR is referencing out to statutory, fundamental rights and we take that anchor away, we must replace it elsewhere. I will therefore support the amendment to the Bill proposed by my right hon. Friend the Member for East Ham, to ensure that that happens

With respect to the Minister, I am not persuaded that that will be agreed by the European Commission. Of course ECJ jurisprudence will be Supreme Court jurisprudence in this country and will be referenced by judges in that Court, but without a statutory anchor ensuring that the fundamental right is, in their view, in favour of the consumer and the data subject, we risk divergence on the application of the rules.

I want to mention the right of collective address. Under the GDPR, bodies can campaign and bring actions against data controllers in the interests of consumers and data subjects as a whole. This works very well in other areas of the law in this country, such as the Consumer Rights Act 2015. Under that Act, Which?, as a private enforcer of unfair terms, can act on behalf of consumers. For some reason, the Government have decided not to adopt such an approach in the Data Protection Bill. I look to the Minister in his closing remarks to explain why he does not think organisations should be able to bring actions for collective redress on behalf of data subjects. Many data subjects may not be able to enforce their own rights as individuals but rely on such organisations to act in their interests.

On fundamental rights more broadly, I am still confused. I hope that the Minister will provide clarification in this final debate of the week by showing how, although we must maintain fundamental rights, we are also removing them. It is much like being in the single market and leaving it, much like being in Europe but not being in Europe, and much like protecting fundamental rights and not protecting them. What is the answer? The Data Protection Bill seeks to ensure transparency and accountability, and in the light of that theme, I hope the Minister will respond on fundamental rights.

Secondly, if we are successful in seeking an adequacy agreement, it is then for us to maintain equivalence as part of that developing area of EU law, as other Members have said. That will require the UK to adopt the decisions of the newly created European Data Protection Board, which is subject to the jurisprudence of the European Court of Justice. Yet the Government insist that we can be both in and out, which is ludicrous, as I have said. They also say that we can be in it without being subject to the rules, but we know that that is a fallacy. Will the Minister confirm whether the Government’s policy is to get an adequacy agreement either this year or next year, only for it to be revoked in a few years’ time because we do not want to be subject to the jurisdiction of the ECJ? We must be subject to its jurisdiction if we are to maintain adequacy, but we will be forever on the cliff edge of being concerned that adequacy will be removed—as it was from the United States of America by the European Commission—and that is the risk our businesses, our consumers, our charities and others fear.

Lastly, I wish to address the rights and protections of children. I will return to this topic in detail on Second Reading. It is a great disappointment that the European Union has backtracked and pulled back slightly on this issue, so that instead of having a harmonised rule saying that children deserve extra protections—especially in the context of understanding how their use of online products and services means giving over personal data, how that personal data is profiled and how advertising is targeted on children—the European Union decided to provide members states with a range of ages to choose from, from 13 to 16.

As my hon. Friend Kevin Brennan said, the UK opted for the age of 13 as the minimum GDPR requirement. I think that is the wrong decision and, according to polls by YouGov, 80% of parents agree with me. However, I encourage us to be intelligent about the way we regulate to support children. It is obvious that if we put in these frameworks children may find ways to use the systems anyway. No doubt there are a number of children under the age of 12 and 13 using social media sites today. We must make sure that the regulation is—dare I say?—with the kids. It needs to make sense and it needs to work properly. I look forward to having that debate and no doubt a shared aim.

As we prepare for the arrival of the Data Protection Bill, this is the first glimpse of a major piece of proposed legislation that highlights the enormous challenges with implementing Brexit. It is not just an issue of primary law for many of the issues we have talked about today; it is about clear rules and about compliance by those subjected to it. On clear rules, I refer to comments made by the Baroness Lane-Fox on Second Reading in the other place, when she pulled out a particularly entertaining section the Data Protection Bill, which reads:

Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR… In this Chapter, ‘the applied Chapter 2’ means Chapter 2 of this Part as applied by this Chapter”.

Other than that sounding like something out of the “Yes Minister” comedy series, it says to me, as a former lawyer, expense. People will be concerned—quite frankly, charities and other groups will be terrified—about getting this wrong. They will have to endure huge compliance costs in trying to implement what should be clear rules into their business.

Following on from what Vicky Ford said—she is not in her place—on compliance and guidance from the ICO, I stress this point with the Minister: many businesses want to do the right thing. They wait on guidance from the ICO and others to tell them what the law means and how they will seek to enforce that law. However, much guidance has either been delayed or is not yet with us. The guidance that has been provided is not, in many cases, sufficiently clear either. We must support the ICO properly to ensure it can provide that service, and we must make sure that people know how to comply with the law.

The UK is, as we have heard, one of the world’s leading digital economies. Bristol is one of the largest digital economies outside of London, and we lead the way on these issues in the world. We have the opportunity to set the tone in becoming a global hub for the world’s digital economy based not only on trust, accountability and security, but on business innovation and leadership. I look forward to helping the Government in this House to get that right.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *