I am pleased to have secured this debate. I am, of course, delighted to see the Under-Secretary of State for Culture, Media and Sport at the Dispatch Box, although I am a little surprised that a Ministry of Justice Minister is not here instead. The hon. Gentleman will understand why as I develop my argument.
However, the specific issue that I want to talk about is the use of personal data by mobile phone companies and the special sensitivity that arises because of the fact that the mobile phone companies know the location of the user. On
The day after reading that article, I wrote to the Minister and requested various assurances from him. I have not had an answer so far, but perhaps this evening he will respond to the points I made. I asked him whether he had discussed the matter with industry, what steps the Government had taken to ensure that such data do not fall into undesirable hands, whether he had had a report from the Metropolitan police, whether the Government believe that it is right that a larger range of data are being used and sold than is allowed under RIPA, and what action the Government are taking to protect our citizens.
Because I did not receive an answer, I wrote to the mobile phone companies and the Information Commissioner’s Office, most of which provided full responses. I also had meetings with EE, the Open Rights Group and Big Brother Watch. Three companies told me that they do not sell on personal data at all, Ipsos MORI explained that the data were aggregated into groups of at least 50 people, and Telefonica pointed out, reasonably enough, that the location data are needed for “find my nearest” services. When I asked EE if the public might judge themselves whether they were satisfied with the arrangements it had made with Ipsos MORI and suggested that the way to achieve that would be for it to publish its contract with Ipsos MORI regarding the sale, it said that it could not do so because it was “confidential”.
All the companies said they believed that their practices fell within the Data Protection Act 1998 and that the data had been anonymised as defined in that Act. The ICO said that having datasets with names or addresses stripped out and aggregated into groups of 50
“does not enable particular individuals to be identified”.
Unfortunately that is not the case. By combining these data with other datasets—for example, those of the Land Registry—individual people can be identified. In March this year, Nature published a science report by academics at the Massachusetts Institute of Technology and Harvard, Louvain and Valparaiso universities which concluded that
“in a dataset where the location of an individual is specified hourly…four spatio-temporal points are enough to uniquely identify 95% of the individuals…These findings represent fundamental constraints to an individual's privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals.”
I thank the hon. Lady for bringing this vital issue to the House. A week does not pass in my constituency without the police warning people to be aware of a scam. Data seem to become available to many organisations, especially the mobile phone groups. Does the hon. Lady agree—I hope the Minister will also respond to this—that, rather than addressing the issue regionally, it would be best to do so with a strategy across the whole United Kingdom of Great Britain and Northern Ireland?
The hon. Gentleman is absolutely right. Indeed, the European Union will make proposals, which will obviously cover the United Kingdom. That is essential, because we are dealing with international companies, so we need international agreements to tackle the problems.
The current law is inadequate to protect people’s privacy, partly because there has been significant technological change since 1998. The advent of cloud computing and the increasing sharing of personal information on online social networks mean that fewer and fewer data are needed to identify people. Furthermore, the current consent rules are completely inadequate. For consent to be meaningful, it needs to be explicit, informed and freely given. Usually, that is not the case —the consent is buried somewhere in paragraph 157 of the terms and conditions—and people have no option to refuse if they want the service at all.
Data are not used for the purposes requested or desired by their owner. In other words, the legal definition of legitimate use is too weak. The data that mobile phone companies hold are extremely sensitive and neither those that they sell nor their changed use have been agreed with the customers. The sanctions are weak, as is evident from the fact that the ICO will fine Google only £500,000 if it does not change its policies.
There are two relevant laws: the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. Do the Government think there is a proper legal basis for processing customers’ location data for the benefit of the marketing purposes of third parties? Does the Minister believe that the ICO is taking enough action to require mobile phone companies to keep consumers informed?
If the Government think that the public are not bothered, they are surely mistaken. Last year Demos carried out some public opinion surveys as part of a report on data sharing and protection. The surveys found that losing control of personal information is the public’s most significant concern with regard to using new technology. They also found that people are sharing more, but that they have a “crisis of confidence” in relation to it. On sharing personal data, 52% of the public were non-sharers or sceptics, compared with only 27% who were described as value hunters or enthusiastic sharers.
Against that background, Neelie Kroes, the EU commissioner for the digital agenda, has made proposals to give people effective control over their personal data, which is a fundamental right for all EU citizens. Under her proposals, an individual’s consent would have to be given explicitly and there would also be a new right to be forgotten whereby, if requested, a data holder would have to delete all the data they hold on a particular person. She also proposes that people should have easier access to their personal data; that there should be a right to transfer those data from one data holder to another; that people should receive speedy information of personal data security breaches; and that there should be stronger protection for children.
The Justice Select Committee has described the draft regulation as necessary and agrees that a shared approach across the EU is necessary for dealing with these large multinational companies, yet the Lord Chancellor has described the proposals as “mad”. The Government have complained about the costs and the potential loss of £15 million of income in fees to the ICO.
Of course no one wants to impose unnecessary burdens on business, and especially not on small and medium-sized enterprises, but if the Government got their act together and started taxing those large new media companies properly, they would easily acquire the necessary resources to enable the institutions to provide proper protection for our citizens. That is evident from the fact that Google paid only £3 million in tax on a £2 billion turnover.
Furthermore, the Government seem to be supporting attempts to weaken people’s rights. The Ministry of Justice’s summary of responses document, which it published in June 2012, said that the Government would
“resist the proposal that subject access rights be exercisable free of charge”, and that they would resist the right to be forgotten. Although they accepted that people should receive notifications of data breaches, they resisted the introduction of a speedy timetable for them. They also felt that the imposition of a fine of 2% of turnover would be “disproportionately high”.
To summarise my argument, 70% of Europeans are concerned that companies use data for purposes other than that for which they were collected, and 94% of the British public worry about their online privacy. British people’s data have been used and sold without their knowledge, and the rapid pace of technological change means that the law is in urgent need of updating. Privacy is a fundamental human right and the EU is now bringing forward sensible proposals to tackle this, which the Lord Chancellor has described as “mad”. Is this because the Tory-led Government are so in hock to big business that they refuse to protect citizens’ privacy, or because the Lord Chancellor is so Europhobic that he cannot recognise a good idea when it comes along?
I am grateful for this chance to respond, and I congratulate Helen Goodman on securing this important debate on new media and data protection. I thank her for her kind words about seeing me in my place. She expressed surprise at seeing me here, but she wrote to me about this issue on
As Minister for Communications, I have been involved in trying to strike a balance between the use of personal data and the need to keep people’s privacy secure. As the hon. Lady made clear in her speech, this is a very real issue in the age of the internet. We talk about data, but let us put a bit of colour into this. We share data, as in information about ourselves, every single day on the internet. I was interested to read the recent World Economic Forum report that estimated that we send 47 billion e-mails a day, that we submit 95 million tweets—not always accurate ones—and that we share 30 billion pieces of content on Facebook every day. We are sharing personal data all the time.
A thriving information economy is essential for enhancing our national competitiveness and driving economic growth. That is why the Government have published an information economy strategy that looks at how Government, industry and academia can work together to exploit the many opportunities available in that sphere.
It is important that we distinguish between personal data that we make freely available, and personal data that we give up to mobile phone companies and that may be used in the future. The report to which the hon. Lady refers from
In a parallel world while the hon. Lady was meeting the Information Commissioner’s Office and talking to mobile phone companies, my officials were doing the same having received her letter. In fact, I replied to her letter today, and she should find that reply in her inbox this evening or tomorrow morning. Purely coincidentally, while I was going through my correspondence I found her reply to my letter in my inbox.
When the story broke, the Information Commissioner’s Office spoke to EE—the company referred to—as well as to Ipsos MORI, and was reassured that the detail of the story was not entirely accurate. EE confirmed that it works with Ipsos MORI on customer behaviour and network usage analysis, and to prepare reports on how, when and where its network is being used. However, data shared between the parties is anonymised and aggregated in groupings of a minimum of 50 to remove any individual references or identifiers.
In that respect, the article in The Sunday Times was not entirely accurate. Ipsos MORI did not sell the personal data of 27 million customers to the Metropolitan police as the data are not generically made available. Furthermore, the Information Commissioner’s Office has seen examples of the output that Ipsos MORI created using data from EE, and it confirmed to my officials that they were not sufficiently detailed or granular to enable individuals to be identified.
Ipsos MORI or EE remain responsible for ensuring that any outputs are compliant with the relevant legislation, and do not identify particular individuals. EE has confirmed that position, and is adamant that it would never breach the trust that its customers place in it, and that it complies fully with all relevant regulations. Telefónica O2 says that it does not sell customer data, and has provided details about a product that it, local councils and others use called “Smart Steps”. That is a data analytics tool used to measure and understand the number of people visiting a specific area. Telefónica O2 confirmed that data are anonymised and aggregated, in line with UK and EU data protection legislation. Similarly, 3UK confirmed that it does not sell customer data. It shares information with third parties such as service providers, to help them deliver services to their customers, but that is done in full compliance with privacy laws. Vodafone also provided details of the two legacy analytical projects in which it participates, both of which were designed to comply with the Data Protection Act.
The Information Commissioner’s Office “Anonymisation: managing data protection risk code of practice” provides guidance on how anonymisation can be used to manage and minimise data protection risk when releasing information. That code was published last year in November with the aim of helping organisations ensure their use of anonymisation techniques safeguards individual privacy. I am pleased to say that that code is online on the ICO’s website.
Where data have been anonymised and aggregated, they will not fall within the scope of the Data Protection Act as they do not enable particular individuals to be identified or differentiated from one another. The requirements of the DPA apply only to the processing—the use, disclosure, collection and storage of personal data that relate to an identifiable individual.
The Data Protection Act does not prohibit the sale of personal data—it is not clear that there is a legal loophole as such in terms of companies trading in personal data, but it is something about which individuals should be informed. As the hon. Lady points out, it is important to obtain individuals’ consent. That is an important issue that we should be addressing, particularly in an online world where often one is confronted by terms and conditions of inordinate length that no reasonable person could be expected to read in great detail. I would certainly like to see much simpler terms and conditions specifically designed for an online age covering the essentials necessary to giving informed consent.
The Minister is responding to the points I raised on
I will certainly do that, but I hope the hon. Lady will bear with me briefly, because it is important, given what provoked this debate, that these issues be put on the record.
I was talking about consent and, in my humble opinion, meeting the hon. Lady halfway on some of her concerns, which I think were perfectly legitimate to raise in the House. Personal data required by legislation to be provided and made available to the general public—for example, directors’ information or births, marriages and deaths—can also be sold, but as I said, I would be concerned if any of the mobile operators were to release personal data for sale in contravention of the law. As she made clear, however, that was not her point.
I turn now to the thrust of the hon. Lady’s comments. We have moved on from the report in The Sunday Times to the general issue of how personal data are handled, particularly in an online and digital age. I begin with two points. First, we take this issue very seriously. Quite recently, we strengthened the powers of the Information Commissioner’s Office. All Members will recall the issue with Google street cars, which were sent hither and thither to take pictures of everybody’s houses so as to provide a public service. When data protection was deemed to have been breached, it was discovered that the ICO did not have the powers to fine Google. As she made clear, the ICO is currently considering a privacy case involving Google, and over the heads of Google and of other companies that break privacy laws hangs the possibility of a significant fine from the ICO, thanks to European legislation introduced by the Government. Those fines are already being used to full effect to combat the plague of nuisance calls.
The hon. Lady raised the matter of the proposals currently under discussion in the Commission. I am loth to correct the hon. Lady on any issue, but the proposals are not being put forward by Commissioner Kroes, who is the Commissioner for digital services, but by Commissioner Viviane Reding, who is the Commissioner with responsibility for consumer affairs. The proposals will update the data protection regulations and, as she pointed out, the Ministry of Justice is the lead Department. My right hon. Friend the Lord Chancellor has been to Brussels and he has used the straightforward and plain language that has stood him in such good stead in his career over many years to make clear the concerns of the British Government.
Let me again be clear: we do not oppose the data protection regulations. We support updating the regulations, but we have legitimate concerns about some of the detail. The most notorious regulation, which has grabbed the headlines, is of course the one that goes by that vernacular phrase “the right to be forgotten”. Our concern is straightforward: saying to any ordinary person that we are going to give them the right to be forgotten on the internet will raise a huge amount of expectation. We therefore want absolute clarity on what can be achieved by talking directly to the website—for example, Facebook—whose data we want to erase, and by asking how far that can go and how many other people one has to speak to. The clear concern of the British Government relates to scope.
The hon. Lady is right to raise these concerns. All British citizens are rightly concerned about how their data might be used in a digital. It is right and appropriate that the Government respond in a judicious and sensible fashion.
Question put and agreed to.