The revelation this weekend of a serious alleged privacy breach involving Facebook data is clearly very worrying. It is reported that a whistleblower told The Observer newspaper that Cambridge Analytica exploited the Facebook data of over 50 million people globally.
In our increasingly digital world, it is essential that people can have confidence that their personal data will be protected. The Information Commissioner, as the data regulator, is already investigating as part of a broader investigation into the use of personal data during political campaigns. The investigation is considering how political parties and campaigns, data analytics companies and social media platforms in the UK have used people’s personal information to micro-target voters. As part of the investigation, the commissioner is looking at whether Facebook data was acquired and used illegally. She has already issued 12 information notices to a range of organisations, using powers under the Data Protection Act 1998. It is imperative that when an organisation receives an information notice, it must comply in full. We expect all organisations involved to co-operate with this investigation in whatever way the Information Commissioner sees fit. I am sure that the House will understand that there is only so far I can go in discussing specific details of specific cases.
The appropriate use of data is important for good campaigning. Canvassing someone’s voting intention is as old as democracy itself. Indeed, we do it in the House every day. But it is important that the public are comfortable with how information is gathered, used and shared in modern political campaigns, and it is important that the Information Commissioner has the enforcement powers she needs. The Data Protection Bill, currently in Committee, will strengthen legislation around data protection and give her tougher powers to ensure that organisations comply. The Bill gives her the powers to levy significant fines for malpractice, of up to 4% of global turnover, on organisations that block the investigations by the Information Commissioner’s Office. It will enhance control, transparency and security of data for people and businesses across the country.
Because of the lessons learned in this investigation and the difficulties the Information Commissioner has had in getting appropriate engagement from the organisations involved, she has recently requested yet stronger enforcement powers. The power of compulsory audit is already in the Bill, and she has proposed additional criminal sanctions. She has also made the case that it has become clear that, in order to deal with complex investigations such as these, the power to compel testimony from individuals is now needed. We are considering those new proposals, and I have no doubt that the House will consider that as the Bill passes through the House.
Data, properly used, has massive value, and social media are a good thing, so we must not leap to the wrong conclusions and shut down all access. We need rules to ensure transparency, clarity and fairness, and that is what the Data Protection Bill will provide. After all, strong data protection laws give citizens confidence, and that is good for everyone.
I thank the Secretary of State for his statement. Does he share my concern that an academic at the University of Cambridge, Aleksandr Kogan, was able to conduct surveys with 270,000 Facebook users, and from that was able to access the data of not just the people who completed those surveys but a greater number of accounts, totalling 50 million user profiles?
That information was then sold to Cambridge Analytica, despite Alexander Nix of Cambridge Analytica telling the Digital, Culture, Media and Sport Committee that it had never received such data when he gave evidence to us, which the Committee will seek to pursue with him. That data was then used in campaigns. Facebook knew of that data breach for more than two years and did nothing to act against Cambridge Analytica. It only suspended Cambridge Analytica from the platform when it became clear that The Observer was going to expose this in its feature yesterday.
My first specific question for the Secretary of State and his Department, and by extension the Information Commissioner, is: will someone be contacting Cambridge University to ask what oversight there was of what Dr Kogan and his team were doing there in gathering this data in the first place?
There is an ethical issue here: data gathered in consumer surveys is being used by data analytics companies for political campaigns. No one ever gave consent for this information to be used in political campaigns in this way, and I think many people will be shocked at the way in which their personal data can be harvested so effectively and used in this way—and not by a registered political party, but simply by a data analytics consultancy.
Can the Secretary of State give users some heart by confirming that someone simply ticking a box on a long form on Facebook does not sign away their rights? Can he confirm that no company has the right to ask someone to sign away their rights under data protection legislation in this country, that it would not be enforceable if a company tried to do so and that people’s rights are still protected?
Does the Secretary of State believe there should be a broader investigation into Cambridge Analytica as a company, which many people are concerned is using many different shadow companies and identities to campaign around the world? Many people have raised concerns and questions not just about the way the company is using data but about its ethics and leadership in all aspects of its life.
I am pleased that the Secretary of State addressed the powers of the Information Commissioner. We raised that issue with him in Committee last week, and the Information Commissioner has also raised it. This incident shows that someone in this country needs to have the legal authority to go behind the curtain and look at the way in which the tech platforms and other companies that use data are using that data, to make sure they comply with UK data protection law.
When the Data Protection Bill is passed, we want to be confident that it is being enforced, that the conditions are being met and that big, powerful companies like Facebook cannot avoid compliance with UK data protection law. I am pleased that the Secretary of State raised that. The Committee, and I am sure the whole House, will take note of that on Report.
I start by paying tribute to the work of the Select Committee, as I have done from this Dispatch Box before. It is doing an incredibly important piece of work. Because of the sensitivities of this, in terms of its political nature and the impact on political campaigning, it is excellent that a cross-party group of MPs is leading work on this, and I pay tribute to Members on both sides of the House for their role in that. I remind them that they ultimately have the power of summons, if people are not giving them good enough answers.
I will ensure that we look into all the considerations my hon. Friend mentions. He raised a point about consent not just being given through a tick box, and this is directly addressed in the Data Protection Bill. Currently, because of the nature of the legislation—the 1998 Act is very old in digital terms—companies can get away with asking for a box to be ticked, even though many people do not read all the small print. The Data Protection Bill will replace the tick-box approach with a principles-based approach, which I think the whole House should support.
Finally, my hon. Friend asked about the powers of Information Commissioner. He is absolutely right that we must, with the legislation before the House right now, ensure that we get the powers right so that the Information Commissioner can carry out an audit. Such a power is already in the Bill, but the question is whether there is a strong enough backstop for when people choose not to comply with an audit. At the moment, there is a very serious fine, but the question is whether the criminal penalties that can be imposed in some cases should be further strengthened. That detail is rightly being looked at in the discussions on the Data Protection Bill.
I too pay tribute to the Committee. I also pay tribute to The Guardian newspaper and Carole Cadwalladr for pursuing this with such utter relentlessness, despite the harassment that she has received. If true, these allegations provide an utter indictment of the permissive environment that this Government have created, which has allowed the data giants in this country to be both careless and carefree in their misuse of data. If they are true, 50 million data records have been misused in a way that means rights have been breached, but also in a way that could have affected the outcome of elections and referendums.
I am grateful to the Secretary of State for considering amendments to the Data Protection Bill. Will he confirm that he will bring forward amendments for stronger powers for the Information Commissioner? If he does so, we will back him on them. Will he also now accept our amendments to set a deadline for modernising the e-commerce directive, which treats such companies under laws that were invented before they were even born? Will he think again about making it possible, in the way that we have set out, to bring class actions where data rights are breached so that they are actually accessible to people, and will he support our amendments to require disclosure of funding for the dark social ads that we know can influence elections and, indeed, referendums?
The final point for the Secretary of State to consider is whether the directors of Cambridge Analytica can still be judged fit and proper people to hold directorships. Will he confirm not only that the Information Commissioner will investigate this breach, but that the full weight of Companies House and the Serious Fraud Office are behind it, so that if these people need to be struck off, they are struck off forthwith?
I add my praise for the Guardian journalists who have done the work published this weekend. I agree with the right hon. Gentleman on many of the issues he raises. It is best to proceed on this with the cross-party consensus that we have on many such areas. I am not sure about the argument that we have dragged our feet, given that this Government have brought forward the Data Protection Bill, and that this Government supported the general data protection regulation very strongly at European level. We are, indeed, already taking action to put right some of the things that need to be strengthened because of the development of technology.
The right hon. Gentleman asked about the e-commerce directive. With Brexit, we will of course be leaving the e-commerce directive, so it is not a question of updating it, but of what to put in its place. We will be leaving the digital single market, and we have an opportunity to make sure that we get that piece of legislation right for the modern age—supporting innovation, growth and the use of modern technology, but doing so in a way that commands the confidence of citizens.
The right hon. Gentleman asked about the directors of Cambridge Analytica. We will of course ensure that people are operating within the law. The question of whether they are fit and proper persons is for a different Department, but I am certainly very happy to talk about that to my ministerial colleagues.
I am sure my right hon. Friend will agree that this news should cause us all great concern. Is not the difficulty that it has been apparent for a long time that the obtaining of data and the use that can be made of it, whether for commercial or political purposes, are a gold mine for those who wish to breach the law, and the sanctions that can be visited on those who do it are entirely inadequate? I am perfectly aware that the Government are amending the legislation, but I do not think the penalties we are enacting for those who behave in this fashion are anything like draconian enough. The financial incentives to break the law are far too great and the penalties are proportionately insufficient. Ultimately, we will have to be much tougher if we are to stop this sort of behaviour.
I have some sympathy with the argument my right hon. and learned Friend makes. A fine of 4% of global turnover is a significant one for an organisation for which data processing is only part of a broader business. Where data processing is the whole business, one could argue that it is less proportionate. We are therefore considering the Information Commissioner’s request. Of course, this is not just about the 4% of global turnover; the criminal offence in clause 145 of the Data Protection Bill carries the highest possible fines, as well as criminal records in England and Wales, for providing false information in response to an information notice, so there already are stronger sanctions for specific actions. The point he makes is one that has been made recently by the Information Commissioner and, therefore, one that is worth listening to.
Like most people across the House, I was shocked to read the revelations in The Observer. This story is yet more evidence that the online political advertising market is growing exponentially and becoming more and more difficult to police. We are seeing Russian authorities purchasing political ads with extensive micro-targeting based on ill-gotten or unlawful user data. If left unregulated, this market will continue to be prone to deception and lacking in transparency. Urgent action is clearly required, so what plans do the Government have to take the required action?
I am pleased to hear that.
Lastly, there have been reports that the Conservative party has been in talks with Cambridge Analytica for some time. If that is true, how long have they been in talks and what did the party know about its dealings with Facebook? Do the Government plan to hold an inquiry? If so, is the Secretary of State worried about a conflict of interest, given the Conservative party’s plans to use Cambridge Analytica for its own benefit?
I have answered the first part of the hon. Gentleman’s set of questions. I broadly agree with him that this is a serious and worrying incident. We need to ensure that the Bill that is before the House puts in place enforcement powers behind the ability to audit that the Information Commissioner will get from the Bill. On the questions about the Conservative party, as far as I understand it the Conservative party has no such dealings with Cambridge Analytica and, therefore, no conflict arises.
I have been the victim of false news stories being micro-targeted at Facebook accounts in my constituency to deliberately undermine me and cause hate. I thank the Secretary of State for prioritising the Data Protection Bill and delivering the general data protection regulation to make sure that our law is clear and enforceable. How does he intend to work with Governments in other countries to ensure that there is no wild west or evil east when it comes to the use of personal data?
I have said that the wild west of digital companies that flout rules and think that the best thing to do is move fast and break things, without thought for the impact on democracy and society, is over. The Data Protection Bill is part of a suite of actions that we are taking to ensure that we have the freedoms that we cherish online, but not the freedom to harm others. That affects many different areas, brought together under our digital charter, and getting the rules right in that space is an important part of our response.
I, too, pay tribute to the work of the Select Committee on Digital, Culture, Media and Sport and The Guardian. Dr Kogan was able to pass the information to Cambridge Analytica. The Secretary of State will know about the reports that Dr Kogan also had teaching posts and grants for social media research from a Russian university, and that Cambridge Analytica did some work for a Russian firm that is currently on the US sanctions list. Has the Secretary of State investigated the veracity of the reports? Has he or a Home Office Minister been in touch directly with Facebook to ask them what further data breaches might have taken place and to ask them to investigate? If they will not provide that information, does he agree with my colleagues’ request that powers should be taken to ensure that we can get it?
Of course we have been in contact with Facebook about that. It is very early stages in terms of the specific allegations that were made at the weekend, but this is part of a longer dialogue about ensuring that Facebook treats the problems with the seriousness that they deserve. The focus today is on Facebook, but in the autumn, we came to the House to discuss Uber’s attitude to data breaches. I do not want to have to come the House again and again to talk about breaches by big data companies. That is why we need to update the law and get that in place as soon as possible.
If evidence emerges via the work of the Information Commissioner, the Electoral Commission, the Select Committee, The Guardian or anyone else that any organisation misused people’s data to interfere in a UK election or referendum, will the Secretary of State guarantee that a full public inquiry is established to find out what happened and what the implications were?
Given the important role that Cambridge Analytica played in the EU referendum and given the links made by the fantastic journalism in The Observer and elsewhere with the Kremlin’s wider campaign of undermining and interfering in our and America’s politics, will the Secretary of State assure the House that all the inquiries and investigations that we have discussed here today get the full co-operation and support of the British intelligence and security services?
The Secretary of State knows that I have long called for a comprehensive forward-looking review of data sharing and abuse, so that our citizens can have the data rights they deserve. The Data Protection Bill does not achieve that. It does not define property rights or market power in data, or algorithmic abuse. Facebook is on the wrong side of history on this and its share price is crashing as a result of the great work of the journalist Carole Cadwalladr. Will the Secretary of State take action or go down as the last dinosaur in an age of data ethics?
Few Governments are doing more to get the rules right in this space. The Data Protection Bill has a full suite of data protection provisions, including the GDPR from European law, to give people power over their data and consent about how it is used. I recommend that the hon. Lady read the Bill and get on board. If she has specific improvements to suggest, we are willing, as we have been throughout the passage of the Bill, to listen and consider them, as we have done with the proposals made by the Information Commissioner and the Select Committee, because we want to ensure that we get the legislation right.
In the years before the 2008 crash, we were told that the people who were running the City of London were the masters of the universe and we could not touch them. We are seeing the same sort of arrogance from the large internet companies, such as Facebook. The way they are using data, and researching how to use data, is completely unregulated. Other areas of research that affect people’s lives are highly regulated. The Data Protection Bill does not go far enough to protect people’s data and the research that goes into manipulating it.
I exhort the Secretary of State to imagine that at the end of the hon. Gentleman’s peroration there was in fact a question mark.
I agree with the premise of the hon. Gentleman’s statement—or question, Mr Speaker. I agree with him that the attitude of the social media giants has been, “Government should get out of the way, because we are doing things differently and better.” It may be a good thing for 95% of us that we are better connected and can use social media in positive ways, as many Members do, but there are serious risks and downsides that need to be addressed properly and appropriately. They are best addressed through legislation where necessary. The parallels he makes are telling.
This is not simply a matter of Cambridge Analytica using data allegedly handed over by a social media provider; this is a matter of Facebook behaving as though its users are raw material to be exploited. Their apparent willingness to do this has been increasingly linked to concerns about the integrity of our democracy. Surely, now is the time to require social media providers to conform to a compulsory code of conduct?
Indeed. A compulsory code of conduct in some areas is in the Bill, especially with respect to the treatment of children. We have a statutory code of conduct in the Digital Economy Act 2017. This whole area is one where we have to ensure that the liberal values, to support freedom but not the freedom to harm others, that we apply through legislation to many other parts of our lives are brought to bear on the online world as well. That is what I mean when I say that the wild west is over.
In the Data Protection Public Bill Committee last week, the Government rejected Opposition amendments that would give full effect to the European requirement for consumer groups such as Which? to be able to bring class actions on behalf of large groups of consumers who have been subject to a data breach. The Government initially ignored that and then tabled an amendment for that to be done on an opt-in basis. Given the revelations about Cambridge Analytica and the fact that none of us knows whether we are included in the 50 million Facebook profiles that have been hacked, will the Government reconsider their position and move to an opt-out basis in line with European Union law?
European Union laws allow for opt-in or opt-out. The Bill is about strengthening people’s consent. To say that names will be taken forward as part of a legal action without their consent unless they opt out is against the spirit of the rest of the Bill. Having said that, we have listened to the debate in the other place and here, and we have said that within 20 months of the Bill coming into force we will review how the opt-in system is working, because we want this to be based on the evidence.
The chairman of the Electoral Commission, Sir John Holmes, openly warned at the end of last year that a perfect storm is putting our democratic processes in peril. He called for urgent steps to deliver transparency around political advertising. Will the Secretary of State now answer that call as a priority?
The question raised by the Electoral Commission is a priority that we are considering, and we will have answers in due course.
Andy Wigmore, who was director of communications for Leave.EU has described the services provided by Cambridge Analytica as “our most potent weapon” in the referendum. They are calculated to be worth in the region of hundreds of thousands of pounds. They were a donation-in-kind, not a penny of which was reported to the Electoral Commission. I wrote to the Electoral Commission about this last year, and I am pleased to say that it has launched an investigation. Does the Secretary of State agree that if it turns out that Cambridge Analytica has been in flagrant breach of our electoral rules, that would place a pretty huge question mark over the referendum result?
We have not seen any evidence of the impact of these things calling into question the outcome of any electoral event, whether an election or the referendum. What we need to do is make sure that these investigations take their course.
The difficulty is that Facebook holds all the evidence, and we cannot have access to it. We know that Facebook approached probably everyone in this House before the last two general elections, indicating that it wanted to help us to win our seats. Will the Secretary of State join those of us who are very concerned about this issue and ask Facebook to come clean about all the information that it has, where it got it from and how it used it?
There are increased powers of transparency in the Bill. Most importantly, the Bill has in it the power for the Information Commissioner to audit and therefore to demand information to undertake such investigations. Making sure that the Bill gets on to the statute book is the single best way that we can make progress on stopping flagrant breaches in the future.
People across the nations using Facebook will be feeling betrayed by these revelations. They will feel that there must be an investigation and that lawbreakers must be brought to account. Given the Minister’s assurances over Tory party involvement, will he guarantee that all political involvement uncovered in this scandal with Cambridge Analytica will be investigated transparently?
My instinct is absolutely yes. Of course, that is a matter for the Information Commissioner, rightly, because she is independent of political parties. The final answer on that is for her, but the hon. Gentleman can see where my instincts lie.
In recent months, having listened to evidence in this area that has been given to us on the Select Committee, it is becoming clear that we have had a lot of half-truths and mistruths, to give the most positive description. The impact on elections and referendums is, to my mind, becoming clearer. We cannot prove it yet, but it is becoming clearer in that the data companies are not giving us evidence on what they do with the information and they are not coming clean on how they use it. What will the Secretary of State do to ensure that British people have confidence that their information is being used within the law and that our elections are absolutely fair, transparent and well reported?
I agree with the hon. Lady very strongly on the premise of her question. The first thing that we will do is listen very carefully to the report of the Select Committee, which as I said at the start, is doing excellent work in this area. We insist that all companies comply properly with what the Select Committee says, and I think that it has plenty more work to do, as we are just discovering. We will not rest until we put this right, because, frankly, the quality of the liberal democracy that we live in depends on having a high-quality political discourse. That means making sure that online, as well as offline, we can have exchanges that are robust but based on reasonableness and an objective truth.
The allegations from the weekend that were uncovered by a brave journalist involved Facebook—it involved Facebook because that is the one that has been caught. Will the Minister assure the House that he will be calling every large company that may be attempting to subvert our democracy into his office to ask them whether they have been involved in any of these data breaches and whether they will come clean, so that we can be confident that our data are protected?
The Minister spoke of the importance of our liberal democratic values. Is he aware of the very concerning attempts by Facebook to block the whistleblower in this case and of allegations that Cambridge Analytica has attempted to block the broadcast of a Channel 4 exposé into this tonight, using a law firm?
Of all the different things that have surprised me and shocked me in this revelation, the decision by Facebook to take down the whistleblower’s Facebook account, and the removal of their WhatsApp account and the Instagram account, was the most surprising—[Hon. Members: “Use a stronger word!”] I thought it was outrageous, and I will say why. Facebook has some serious questions to answer. It will tell its side of the story, but it has some serious questions to answer. To answer this by blocking an account, when at the same time, as we know in this House, it does not act fast enough to block other accounts of obviously outrageous behaviour—[Interruption.] Well, I will tell you what, it shows us that when it needs to, it can block things incredibly quickly, and it will have to do a lot more of that.