My Lords, with the leave of the House, I will repeat in the form of a Statement the Answer given by my right honourable friend the Secretary of State for Digital, Culture, Media and Sport to an Urgent Question in another place. The Statement is as follows:
“Mr Speaker, the revelations this weekend of a serious alleged privacy breach involving Facebook data are clearly very worrying. It is reported that a whistleblower told the Observer newspaper that Cambridge Analytica exploited the Facebook data of over 50 million people globally.
In our increasingly digital world, it is essential that people can have confidence that their personal data will be protected. The Information Commissioner, as the data regulator, is already investigating as part of a broader investigation into the use of personal data during political campaigns. The investigation is considering how political parties and campaigns, data analytics companies and social media platforms in the UK have used people’s personal information to micro-target voters. As part of the investigation, she is looking at whether Facebook data was acquired and used illegally. The commissioner has already issued 12 information notices to a range of organisations, using powers under the Data Protection Act 1998. It is imperative that when any organisation receives an information notice, they must comply in full. We expect all organisations involved to co-operate with this investigation in whatever way the Information Commissioner sees fit. I am sure the House will understand that there is only so far I can go in discussing specific details of specific cases.
The appropriate use of data is important for good campaigning. Canvassing someone’s voting intention is as old as democracy itself. Indeed, we do it in this House every day. But it is important that the public are comfortable with how information is gathered, used and shared in modern political campaigns, and it is important that the Information Commissioner has the enforcement powers she needs. The Data Protection Bill, currently in Committee, will strengthen legislation around data protection and give her tougher powers to ensure organisations comply. The Bill gives her the powers to levy significant fines for malpractice of up to 4% of global turnover against organisations that block the ICO’s investigations. It will enhance control, transparency and security of data for people and businesses across the UK.
Because of the lessons learned in this investigation and the difficulties the Information Commissioner has found in getting appropriate engagement from the organisations involved, she has recently requested yet stronger enforcement powers. The power of compulsory audit is already in the Bill, and she has proposed additional criminal sanctions. She has also made the case that it has become clear that, in order to deal with complex investigations like these, the power to compel testimony from individuals is now needed. We are considering these new proposals, and I have no doubt that the House will consider this as the Bill passes through.
Data, properly used, has massive value and social media is a good thing, so we must not leap to the wrong conclusions and shut down all access. We need rules to ensure transparency, clarity and fairness, and this is what the Data Protection Bill will provide. After all, strong data protection laws give citizens confidence, and that is good for everyone”.
I think we all owe a great deal to Carole Cadwalladr and the Guardian for their striking investigative journalism, which has led to a remarkable exposé of what appears to be a significant breach of our data protection laws, and for drawing attention to the threat that such activity poses for our democracy and our polity. I am sure that the DCMS Select Committee will produce a powerful report on these and related matters, and we look forward to seeing that.
I agree with much of what the Secretary of State says in his Answer, not least his belief that we should see whether we can find common ground between the parties on what can be done to improve the Data Protection Bill, which is currently in Committee in the other place. In that context, does the Minister agree that we should think about giving the Information Commissioner the resources that she needs and the additional enforcement powers that she has requested to ensure that, as well as auditing the activity of all data controllers, she has the power to seize papers and digital materials and to require individuals to give evidence when required? Does he also agree that we should think about backing the Electoral Commission’s request for powers—not necessarily in the Data Protection Bill but in other legislation if necessary—so as to introduce better safeguards in this area, including digital imprinting for political advertising?
Given that one of the underlying concerns here is that this is a rapidly changing area, does the Minister agree that we should think about bringing forward plans for a data ethics commission that could look at, inter alia, whether we need personal copyright in data, the changes that might be required to the e-commerce directive post Brexit, and such backstop powers as may be needed once this alleged data breach has been properly investigated? Finally, does he agree that we should meet in the not too distant future to discuss how best to make progress on these important issues?
My Lords, I thank the noble Lord for his constructive remarks. I too pay tribute to the Guardian and the journalists who worked on this. Certainly they have exposed questions to answer but we will have to see what the ICO comes up with in its investigation, and it is very important not to prejudge that. I agree with the noble Lord that there is common ground between us. We found common ground to improve the Data Protection Bill as it went through this House. Six hundred and ninety-two amendments were considered and a great number were accepted, so I think that that worked very well as regards the Official Opposition and the Lib Dems. That is a good example of where we have done well in scrutinising legislation.
In the Commons, in particular, the Secretary of State made it clear that we will consider what the Information Commissioner has asked for in respect of new powers. I would say that, generally speaking, during the passage of the Bill we have liaised very well with the Information Commissioner, and I was present at a call this morning to discuss these matters, among others, with her.
The noble Lord also talked about safeguards during elections, and of course we take them very seriously. It is absolutely critical that advances in data-mining analysis allow free and fair elections, and we will obviously consider that.
The data ethics and innovation group is proceeding and I think we are working as fast as we can. It is a very important area for the reasons that the noble Lord mentioned. Of course, I am always delighted to meet him to discuss any further progress that we can make on the Data Protection Bill, although we are getting short of time. I remind everyone that the GDPR comes into place on
My Lords, I think we all agree that these allegations against Cambridge Analytica, if correct, indicate a shocking betrayal of people’s personal data and that this could be the tip of a large iceberg. All campaign work linked to Cambridge Analytica must now be scrutinised, including any links to elections in the UK. Will the Minister ensure that, as part of the investigation, the Information Commissioner takes steps to look into links between the breach of data privacy and elections and referenda in this country? I join in thanking him for encouraging cross-party co-operation on this matter, which I agree is very important.
My Lords, I want to put on the record that we absolutely agree with the noble Baroness that if these allegations—and at the moment they are allegations—are correct, that will be truly shocking. The new Data Protection Bill will bring forward stronger enforcement powers, and, as we have said, we might strengthen them even further. It is very important to consider that some people have said that the powers in the new Data Protection Bill are too burdensome. That shows exactly why we need strengthened individual data subjects’ rights and the means to protect them. The privacy of individual data subjects must be taken extremely seriously, and the Bill will do that. Of course, the Information Commissioner will certainly take seriously any links that she finds between any data breaches and elections, and I confirm to the noble Baroness that we will too.
My Lords, the Minister has, very understandably, spoken as though the problem that we are addressing is breach of privacy, and that is of course what data protection legislation is intended to achieve. However, does he not think that new uses of data, including personal data, by digital media and specifically by social media are evading the way in which we would like elections to be conducted and enabling data use that is not merely a breach of privacy but a breach of public interest?
I have to give a short answer to what is an extremely difficult question. I certainly agree with the noble Baroness that there are more questions to answer than simply those about data protection in the fairly broad confines of the Data Protection Bill. Of course, the data ethics and innovation body is there to consider some of the wider aspects. Many other areas are evolving, and I cannot say that we have all the answers in this one Bill but we are certainly looking at the issues. Our ambition is to make the internet a safe place to be. We have to take into account all areas of public interest, and I agree that elections are certainly matters of public interest.
My Lords, can I take the Minister a step further on the question raised by the noble Baroness and my noble friend? He has referred extensively to the Information Commissioner, but in one very important respect this is a matter of concern to the Electoral Commission. We have a vehicle for improving the powers of the Information Commissioner but we do not at the moment have any vehicle to improve the powers and investigative processes of the Electoral Commission. Will the Minister confirm whether the Electoral Commission is looking at the issue of whether Cambridge Analytica employed at any stage, or gave advice at any stage to, any of the participants in the leave campaign during the referendum? If so, has he received any advice from the Electoral Commission as to whether the law needs to be tightened up in that respect, too?
As we understand it, one of the companies concerned may well be not a UK-owned company—in which case it would of course be an ineligible contributor to any campaign such as a referendum. Given that it is possible that, within a matter of months, we may have another referendum, I suggest to the noble Lord and to the Government that this is a matter of some urgency, and therefore cannot be left simply to improving the powers of the Information Commissioner.
I am not sure that I agree with the premise of the latter part of the noble Lord’s question. Nevertheless, he makes a sensible point about the Electoral Commission, which is, I believe, a Cabinet Office responsibility. I cannot confirm whether the Electoral Commission is currently conducting the investigation that the noble Lord asked about, but I will certainly find out. What I can say is that, as far as data is concerned, which is my responsibility, we continue to have cross-party talks on areas of interest, including with the noble Lord’s own party. I recently participated in a round table with the Secretary of State and representatives from the Labour Party and the Lib Dems to talk about how we can go forward as far as political parties and elections are concerned. The Electoral Commission was raised at that stage—but I will have to come back to the noble Lord on the specifics of his question on the Electoral Commission.
Sitting suspended. Committee to begin again not before 7.38 pm.