Read Darren’s account of his third day on the Data Protection Bill Committee

Data Protection Bill: Committee Day Three Report (ICO Powers, Leveson Two, Intelligence Service Data Transfers, Data Value and other issues).

The Data Protection Bill (the “Bill”) applies new EU data protection laws (the General Data Protection Regulation, or “GDPR”) to processes in the UK which EU law has no jurisdiction over, introduces the Law Enforcement Directive for policing and law enforcement powers, and sets out the data protection and privacy rules for the processing of personal data by the secret services (MI5, MI6 and GCHQ). It also provides a legislative “parking space” so that, if the UK leaves the EU, GDPR is copied and pasted into UK law (via the EU Withdrawal Bill) to maintain the same level of laws between the UK and the EU post-Brexit. This is important, because the EU needs to agree that UK laws are adequate in order to allow the continued flow of data between the UK and EU after Brexit.

The Bill arrived in the House of Commons from the House of Lords and, having passed second reading, it is now at committee stage. This line-by-line review of the Bill kicked off last week.

Here’s my report of Day Three. You can read by report of Day One here and of Day Two here.

Another day, another bill committee. Accept this time, day three of the Bill committee kicked off the morning after the night before. Last night, Channel 4 News followed the excellent reporting of the Observer and the New York Times in exposing the dark arts of Cambridge Analytica, including their alleged sucking up of tens of millions of Facebook profiles.

New Information Commissioner Powers

It’s no surprise, then, that the issue of regulatory powers for the Information Commission (the “ICO”) came up today – albeit without sufficient answers from the Government.

I and others had been led to believe from the Secretary of State, Matt Hancock MP, that the Government intended to bring in new powers to help the ICO, following the Cambridge Analytica revelations.

However, to the surprise of many MPs on the bill committee, Digital Minister Margot James MP confirmed that no new powers were being tabled and, to make it worse, additional criminal sanctions for failing to comply with requests from the ICO weren’t being tabled either! This in the face of comments from the ICO herself that pure monetary fines for breaching ICO notices was clearly less of a deterrent than criminal prosecutions (especially to those with deep pockets). It’s right that some new criminal sanctions are being legislated for, but this approach ought to apply in a uniform fashion.

And without want of asking (I think we raised it three times today), the Government failed to set out whether it would seek to make judges available on an emergency basis when the ICO is running against the clock. This would have helped, for example, last night when the ICO had to wait until today to get a warrant to enter the offices of Cambridge Analytica whilst Facebook was able to use its contractual rights to get access before the regulator could (thankfully, Facebook did as it was asked when the ICO told it to stand down).

Leveson Two

Another contentious topic today was the Government’s insistence in closing part two of the Leveson Inquiry (the part that sought to investigate potential breaches of data protection more widely in the newspaper industry and its alleged connections with the police). As our shadow Digital Minister, Liam Byrne MP, made clear: this investigation was promised by the (previous) Prime Minister on the floor of the House, and it seems wholly unsatisfactory for a new Secretary of State (Matt Hancock) to suddenly decide that there is “nothing to see here, guv!”. We opposed the Government in supporting the Lords amendments which sought to instigate Leveson Two, but Conservative MPs voted it down. Leveson Two will therefore not be going ahead – something that, for the many victims of press intrusion, is likely to be deeply sad news.

Further, amendments had been made in the House of Lords to legislate for a re-balance in power between citizens and newspapers, so that when claims are brought against newspapers the claimants do not have to face paying the often-enormous legal fees of the newspaper giants. Unsurprisingly, the Government voted down these amendments too.

Intelligence Services

The final few clauses for the security services aspects of the Bill were voted through today, but with attempts from the Opposition to ensure that proper rights of redress existed following automated decision making, and that international transfers of personal data went only to countries which had been given the data protection stamp of approval.

I re-made my case, in line with comments from the Joint Committee on Human Rights, that if the UK leaves the EU it will no longer be able to rely on the national security exemption under the EU Treaties (namely that national security is a reserved matter for Member States and nothing to do with the EU).

As such, when seeking to secure and maintain adequacy, the EU could post-Brexit look at the whole data protection environment in the UK as a third country. This would mean that any international transfers of the personal data of UK or EU citizens to countries deemed by the EU to be inadequate would risk cancelling our adequacy agreement.

The Home Office Minister, Victoria Atkins MP, made the point that Canada has an adequacy decision but failed to recognise that the European Commission has raised concerns with it about data transfers to the US (which puts Canada’s data adequacy at risk, too). This issue seemed, therefore, to not be of concern to the Government.

I also moved another amendment in my name, which made it clear that UK courts must have “regard” to EU courts in the developing area of data protection law. This would help the UK maintain its adequacy with EU law in the future. However, even though the Minister seemed to agree with all my arguments, the Conservative MPs on the committee voted down my amendment anyway.

Other Issues

We covered lots of other issues today, including new laws for age appropriate design to put extra pressure on companies to build consent and privacy tools that work for children.

We also started a conversation on the value of personal data: an area which I think needs much deeper and more urgent attention. The NHS, for example, is a global treasure trove of health data yet we don’t employ data scientists in the NHS nor do we have formal Government policy on how to ensure full value of that data for the NHS and NHS patients. This is a topic which I’ll return to later in the year through other related work.

And I raised the question with the Minister about the issues of consent, and the new offence of re-identification of de-identified personal data. However, I failed to get a useful response, so we will need to return to this at a later stage.

Finally, I wrote to Margot James MP today to re-assert my concerns with the democratic engagement rule which allows companies to process personal data without consent in the public interest. My concern is that this would have allowed Cambridge Analytica to do what it did. You can read my letter to the Minister here.

I’d better leave it there – but we’re back at it on Thursday for what will probably be the final day. I’ll be moving my new clause which seeks to bring technology ethics on a statutory footing. Given the big ethical questions associated with Cambridge Analytica, I hope the Government supports my new clause!

Darren Jones is the Labour MP for Bristol North West, a member of the EU Scrutiny Select Committee and Science and Technology Select Committee and is currently serving on the Public Bill Committee for the Data Protection Bill. He tweets at @darrenpjones.