My Lords, digital regulation is an incredibly complex subject, as we have heard, and it covers a wide range of diverse areas, so I am very grateful to the committee and to the noble Lord, Lord Gilbert, for producing this comprehensive report. I will focus tonight on data, and I apologise now to the noble Lord, Lord Inglewood, because I am going to get a little bit into the nuts and bolts. In doing so, I am going to concentrate principally on Google, but some of the issues that I raise apply to a greater or lesser extent to other platforms.
Google is the world’s largest digital advertising company but it also provides the world’s leading browser, Chrome; the leading mobile phone operating platform, Android; and the dominant search engine. Its Chrome- book operating system, while smaller, is growing fast, and it offers myriad other services to the consumer, such as Gmail, YouTube, Google+, Maps, Google Home and so on. These services are mostly provided to the consumer for free, and in return Google uses them to collect detailed information about people’s online and real-world behaviour, which it then uses to target them with paid advertising.
The sheer quantity of data that Google collects every day is staggering. A recent study by Professor Douglas Schmidt of Vanderbilt University simulated the typical use of an Android phone and found that the phone communicated 11.6 megabytes of user data to Google per day—that is just one device in one day. As an aside, the phone is using your data allowance; you are paying for it to send all this data back to Google. The experiment further showed that even if a user does not interact with any key Google applications, Google is still able to collect considerable data through its tools and by using less visible tracking techniques.
The greatest safeguard over the collection and use of data has to be transparency. As users, we need to understand what is being collected, by whom and what for, and we need the ability to stop it and delete it if we wish. The GDPR and the Data Protection Act represent a step forward but it is already becoming clear that they may not be sufficient for the fast-moving digital world. How many people really understand what Google or indeed any other platform is collecting about them? This is going to become even more important as 5G and the internet of things take off.
GDPR also gives us the right to obtain the data that is held on us, but there are a number of problems. First, it is hard to know who has your data, because of the many third parties I have spoken about, with which you have no direct relationship but are collecting data on you. Secondly, only data deemed personally identifiable will be provided. In Google’s case, this includes only the data that it has collected using the active process I described earlier when you are logged into a Google service. However, as Professor Schmidt’s study showed, the majority of the data Google collects comes from the passive collection method. This data is described as user-anonymous, being linked to different identifiers, such as your device or browser ID; but if you log into a Google service from the same device or browser, either before or afterwards, Google is able to link it to your account.
Thirdly, as the committee’s report points out, the data that must be provided in response to a request does not include the behavioural information that derives from your data. I strongly agree with the committee’s conclusion that this behavioural information should be made available to the subject. I further urge the ICO to look more closely at whether cookie consent requests really meet the right to be informed, and to consider whether data that the platforms describe as user-anonymous are really anything of the sort. There should also be a requirement to provide details of any data that has been provided to third parties, and to provide details of third parties that have been allowed to collect data through one’s website. Does the Minister agree with these suggestions?
The second issue that arises from the way data is collected is one of conflict of interest and market power. I have described the volume of data collected by Google. This is hugely facilitated when the operating system and browser of your phone or computer is provided by Google. In effect, this means that your device is not working for you or protecting your interests; it is working for Google, helping it to obtain your data. Google’s dominance in both browser and phone operating systems strengthens a network effect that has assisted its rise as one of the data monopolies, making it hard for others to break into the market and compete. There has been talk of splitting up these data monopolies, and there must be an argument for somehow separating the activities of providing operating systems and browsers from those of data collection and advertising. At the very least, we should insist on mandatory standards of user protection and transparency to be built into such operating systems and browsers. Doing this would ensure that the software works to protect the interests of the user, not the interests of the advertiser. This would be a strong step towards,
“data protection by design and by default”.
I continue to agree that the CMA should look into the digital advertising market, as repeated in the report, and urge that this structural conflict I have just described is considered as a part of that. I am very sorry that the noble Lord, Lord Tyrie, has had to pull out of this debate. It would have been very good to have heard what he had to say on the subject. I urge the Minister to encourage the CMA to take a look.
In conclusion, I have suggested that the ICO should look into one element and that the CMA should review another—both elements are related. I think this emphasises the need for an expert digital authority, as the committee recommends, if only to act as gatekeeper and make sure that issues do not fall between the cracks.