Watch Darren’s second day on the Data Protection Bill Committee and read his account

Data Protection Bill: Committee Day Two Report (National Security Exemptions, post Brexit data sharing and Collective Redress).

The Data Protection Bill (the “Bill”) applies new EU data protection laws to the UK, adapting them and extending them for the UK legal system. 

The Bill arrived in the House of Commons from the House of Lords and, having passed second reading, it is now at committee stage. This is where a  committee of MPs – including Darren – go through the bill line by line.

Here’s Darren’s report of Day Two. You can read the report of Day One here.

National Security Exemptions

The most contentious issue of the day was the power for exemptions to be granted from data protection and privacy rights for law enforcement purposes, namely due to an issue of national security.

Clearly, no politician wants to put our law enforcers in a position where they can’t do their job. But we on the Opposition benches tried to achieve two outcomes today: first, that broad powers and exemptions have adequate safeguards to keep our laws fit for purpose in the context of quickly advancing technologies; and second, that equivalent oversight exists for the processing of personal data as it does for the collection of it.

The latter of these two points went unanswered by the Government. Under the Investigatory Powers Acts various safeguards and sign offs are required for the collection of personal data by intrusive means (such as the bulk collection of data or the interception of a communication). However, it is this Bill that then provides the rules for what can be done with that data once it’s collected. Oddly, the safeguards under the Investigatory Powers Act are far better than those on the face of this Bill. We tabled amendments to align these, but the Government disagreed.

These safeguards were put into clear context by my colleague Louise Haigh MP (who is our Shadow Home Office Minister), including the increasing use of facial recognition software and the bulk collection of location identifiers using mobile phone data (so called IMSI Catchers, which has been shown by the Bristol Cable to be used in Bristol). When the Government holds facial images for the bulk of the adult population (from passport and driving license photos), when the Government has admitted that the police hold more facial profiles than they have a legal basis to do so, and when we’ve waited years (and we’re still waiting) for the Government’s biometrics strategy, it is perfectly reasonable for the Opposition to raise these issues. Sadly, the Government didn’t agree to any of our amendments.

Lastly, on this topic, the issue of exemptions was also raised, in the context of increasingly sophisticated algorithms being used by law enforcement agencies (including the police). Under the Bill, exemptions can be used to prevent citizens, for example, from opting out of automated decision making (i.e, the use of an algorithm to decide law enforcement issues). The Government responded that it is rare for purely automated processes to be used: human officers will always intervene. In my view, that answer isn’t good enough. With stretched resources, it seems obvious that busy officers will rely on whatever output comes out of these algorithms. And as static algorithms start to transform into artificially intelligence machine learning algorithms it’s safe to say that very few people will have any idea what’s going on inside them. That’s why exemptions from important data protection and privacy rights should be restricted and not broad enough to be used widely. Unfortunately, the report that I am co-producing on the Science and Technology Select Committee into the regulation of algorithms isn’t yet published, but when it is it might give us an opportunity to revisit this issue in debate.

The Government’s position on safeguards and exemptions for law enforcement purposes was weak today, and I’m sure we’ll return to this in more detail (hopefully with some further Government amendments) at Report stage.

“Beyond Adequacy”

The day kicked off with my amendment which sought to tweak the Bill, making the Information Commissioner (the “ICO”) to apply EU derived decisions and guidance on GDPR into UK law (with the flexibility to not do so where she feels it isn’t required). The Government preferred the position that the ICO must have only “regard” for such decisions.

However, in trying to seek a decision of adequacy – that UK law matches EU law – and in seeking to keep that into the future, it’s important that the UK doesn’t diverge from EU data protection laws. The Government has said that it now wants a deal with the EU that is “beyond adequacy” and the Digital Minister Margot James MP told me in the House that this meant have a seat for our ICO at the European Data Protection Board (the “EDPB”) table. But more than that, that our role should be to influence decisions of the EDPB not just to be there to listen. In seeking to secure that, I put it to the Government that it might want to go further than merely having “regard” for EU law and to agree on the face of the Bill that we will meet our obligations and incorporate it. However, the Government disagreed and – whilst I called it to a vote – the Labour and SNP combined vote in favour of my amendment was defeated by the Government.

Watch Darren speak on this topic: 

Collective Redress

Lastly, we on the Opposition benches sought to apply the requirement in the GDPR that groups (such as Which?) could bring “class actions” on behalf of consumers where a breach of data protection law has taken place. The Government tried to ignore this requirement but has since put down an amendment which says these “class actions” can be taken, but only where everyone in the class has “opted in”.

This will make the process pointless, not least because charitable groups or campaign groups which act on behalf of consumers don’t have the resources to find the often tens of millions of people subject to, for example, a data breach. And anyway, this principal already exists in EU law and has been successfully adopted in UK law (in the Consumer Rights Act) without any problems whatsoever.

We failed to understand why the Government decided to not just get on with it, but instead to create a mechanism which isn’t going to work and which will prevent access to justice for millions of UK citizens in this increasing important area.

Conclusions

Other than these main issues, we managed to get through quite a few clauses and amendments which were agreed on a cross party basis. As my colleague Liam Byrne MP, our Shadow Digital Minister, said: the Government is likely to regret not pushing ahead with powers of collective redress given how many large data breaches we’ve already had. Time will tell!

So that’s Day Two down. Three more to go.

Darren Jones is the Labour MP for Bristol North West, a member of the EU Scrutiny Select Committee and Science and Technology Select Committee and is currently serving on the Public Bill Committee for the Data Protection Bill. He tweets at @darrenpjones.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *