Most people are not sure who is collecting what data on them, and what then happens to that data. But we like to use social media, and to get reminders of things we’ve missed in our online shopping basket, and our smartphones have – for many of us – become a continuously connected extension of ourselves.
But when we think about our medical data, or information about our children on the National Pupil Database, or the tracking of our physical or online locations and travel patterns, it starts to get a bit more concerning.
And when companies lose our credit card details, or we fail to get a job because of an unflattering photo online from years ago, or targeted advertising reveals our secrets to those we wish not to know, it starts to get very dark indeed.
This is all happening today, and it’s only going to get worse. The upside is more efficient public services, a more productive economy and an enhancement of our day-to-day lives. The downside is an intrusion into our personal lives and a breakdown of our rights to privacy at a level never seen before.
That’s why it’s so important to get the Data Protection Bill right. It sets out how companies, the government, the police and the secret services can collect, store and process our personal data. And it brings our rights and enforcement powers as citizens into law. And if Brexit is to happen (I try to remain optimistic that it won’t), it provides a parking space for the UK to copy and paste new EU data protection laws – the General Data Protection Regulation – into UK law following Brexit.
But the Bill isn’t perfect, and it’s not a complete package. Investigatory Powers, ePrivacy, Network and Information Security and a debate with the public on data ethics are all different legislative pieces of the puzzle. And that’s why we must take this opportunity to make our new data protection laws fit for the future.
As is often the case, it’s important to start with basic principles. The Data Protection Bill should set out fundamental legal rights to privacy and the protection of personal data. Today, that’s found in the EU Charter of Fundamental Rights – which the Government is repealing. It must make its way back into the Data Protection Bill.
And as Daniel Zeichner MP said at Second Reading, we mustn’t allow for the “hard coding” of historic biases into algorithms which increasingly make decisions about us every day. Fairness and some form of accountability must be applied to algorithmic decision making.
But the elephant in the room is the imminent need for a finding of “adequacy” with the European Commission. 11% of global data flows come through the UK, 75% of which are with the EU. Maintaining our data flow access through the EU is going to be vital, which requires the Government to do two things.
Firstly, it must be honest and clear that the UK will have to continue to apply EU derived data protection laws for evermore. And that we won’t have any real influence in deciding what those rules will be.
Secondly, it must amend the Bill to row back on its constant desire to want to give itself limitless powers to change laws in its favour without a vote in Parliament. That means sorting out the issue of giving itself a get out clause from regulation for the purposes of widely defined reasons such as “immigration control” and the “exercise of public authority”. And it means admitting that our national security powers – especially on bulk collection and retention of data – will be an important consideration for the European Commission when assessing our UK equivalence with EU law.
And we should be honest that most people are unable to bring their own individual claims when their rights have been ignored often by large corporates or the state. That’s why citizens need a right of collective redress where organisations such as Citizens Advice or Which? could bring actions on behalf of citizens, as exists in consumer rights law today.
And lastly, in the government’s attempt to seek to secure as many non-EU based trade deals as possible, I sincerely hope that the government won’t agree to diverge from EU law in the future, in order to strike a digital economy services deal with the United States. We should be proud of the influence Britain has had in the EU at setting a strong privacy-first set of regulations that could become a global example of how it should be done.
Any deviation from that, and any refusal to put basic rights into law on the face of the Bill, will be a dereliction of duty in making our new data protection rules fit for the future.
Darren Jones is the Labour Member of Parliament for Bristol North West, a Member of the Science & Technology and EU Scrutiny Select Committees and a member of the Data Protection Bill public bill committee. He tweets at @darrenpjones.