1 The UK recognises the following Data Rights:
Article 1 —Equality of Treatment
1 Every data subject has the right to fair and equal treatment in the processing of his or her personal data.
Article 2 — Security
1 Every data subject has the right to security and protection of their personal data and information systems.
Access requests by government must be for the purpose of combating serious crime and subject to independent authorisation.
Article 3 — Free Expression
1 Every data subject has the right to deploy his or her personal data in pursuit of their fundamental rights to freedom of expression, thought and conscience.
Article 4 — Equality of Access
1 Every data subject has the right to access and participate in the digital environment on equal terms.
Internet access should be open.
Article 5 — Privacy
1 Every data subject has right to respect for their personal data and information systems and as part of his or her fundamental right to private and family life, home and communications.
Article 6 — Ownership and Control
1 Every data subject is entitled to know the purpose for which personal data is being processed to exercise his or her right to ownership. Government, corporations and data controllers must obtain meaningful consent for use of people’s personal data.
Every data subject has the right to own and control his or her personal data.
Every data subject is entitled to proportionate share of income or other benefit derived from his or her personal data as part of the right to own.
Article 7 — Algorithms
1 Every data subject has the right to transparent and equal treatment in the processing of his or her personal data by an algorithm or automated system.
Every data subject is entitled to meaningful human control in making significant decisions – algorithms and automated systems must not be deployed to make significant decisions.
Article 8 — Participation
1 Every data subject has the right to deploy his or her personal data and information systems to communicate in pursuit of the fundamental right to freedom of association.
Article 9 — Protection
1 Every data subject has the right to safety and protection from harassment and other targeting through use of personal data whether sexual, social or commercial.
Article 10 — Removal
1 Every data subject is entitled to revise and remove their personal data.
Breach of any right in this Bill will entitle the data subject to fair and equitable compensation under existing enforcement provisions. If none apply, the Centre for Data Ethics will establish and administer a compensation scheme to ensure just remedy for any breaches.
Application to Children
1 The application of these rights to a person less than 18 years of age must be read in conjunction with the rights set out in the United Nations Convention on the Rights of the Child.
1 Where an information society service processes data of persons less than 18 years of age it must do so under the age appropriate design code.”
We now come to the good stuff. Members of the Committee can look forward to an enormous amount of ground to cover in the debates ahead. We will try to speed through it as quickly as we can, but there is an awful lot of ground to cover. New clauses 5 and 6 and new schedule 1, tabled in my name and that of my hon. Friends, are an attempt to provoke the Government into being more ambitious in their strategy for the digital world. Every so often, as a great nation, we make important declarations of rights.
Rights are important because they ensure that progress is democratised, but they also provide important new protections against new imbalances of power that arise. We really began to turn our minds to this about 803 years ago when we came up with Magna Carta. We then made a much more sweeping and important statement that received Royal Assent on
Over the years, the regime of rights that we have pioneered in this country has been absolutely fundamental to the progress that we have made as a nation. If we go back to the debates here in the 1630s and 1640s, we see that the rights of new entrepreneurs to defend the wealth that they had created through trading, particularly in the Atlantic colonies—examples include the Virginia Company and, later, the East India Company—and the rights that we sought to enshrine and protect against arbitrary taxation, were absolutely fundamental in laying the foundation for the industrial revolution that really began to take off in the years after the Bill of Rights was enshrined by William III in 1689.
The argument that I want to make this morning is that the sweeping changes of the digital age mean that it would be wise of us to consider a similarly ambitious set of rights for the digital age. Anyone who has an interest in economic history will know that, ultimately, we can never contract for anything. Ultimately, a handshake will always be as important as a contract, and a handshake relies on an environment of trust. When countries do not have environments of trust, they lack economic institutions that allow their economies to flourish.
The challenge in this country today is that we are not making quite as much progress with the digital economy as perhaps we could be. Indeed, in most international indexes, where we should be at the top, we are normally batting at about fifth and sixth. That is not terrible, but most of us would like it to be better. We are the home of the scientific revolution and the industrial revolution. We should be at the top of the table, not fifth and sixth.
That provokes us to ask what is the state of online trust and digital trust in this country. The figures that I have dug out are for the time before the scandals that we have learned about over the last couple of weeks, which will not have put trust levels up. Online fraud is now growing very quickly. In fact, Action Fraud says that 70% of all fraud is now cyber-enabled. That is not simply a commercial problem; it is also a public sector problem. Public services such as the NHS hold vast quantities of public data. The NHS has been hit very badly by malware in a way that has provoked real questions about the UK’s digital resilience. The National Audit Office said that the NHS and the then Department of Health must “get their act together” or suffer far worse than the chaos of 2017. Edelman recently produced a survey that said that one quarter of the UK population trusts social media and 61% trust traditional media, so there are huge imbalances in what people trust today.
I have been interested in this question for a while, and I have been interested in seeing what we can learn from some of the world’s digital leaders. On a recent visit to Estonia, which is by some agreement the world’s leading digital society, the thing that really struck me was the fact that digital trust is supremely high. The Government of Estonia took the big decision, when they left that north-west corner of the USSR, that they would have to take a big gamble on the future. As we leave the north-west corner of Europe, we need to be taking a similar big bet on the future. We need to be betting on digital in the way we bet on steam a couple of centuries ago.
Two things are absolutely key to the digital environment in Estonia. One is a platform called X-Road, which allows Government data from distributed databases to come together to answer particular kinds of problems, but absolutely fundamental is the public option of an e-ID scheme. That involves two-factor authentication and it comes with important features such as the ability for people to look online at who has been using their data, who has been accessing it, and what they have been using it for. In fact, doctors and police officers have gone to jail because they have misused their ability to access online records—medical records, for instance.
Anyone in this country who has tried to file their taxes online, as I did early in January, will know that the Government gateway here is nowhere near that level. Once I had been issued with my fifth online ID, I frankly gave up and rang the MPs’ hotline, and the person there said, “Yeah, we’ve had lots of problems like this. You can just file your tax return on paper like everybody else.” We are sadly lacking the kind of digital infrastructure that many other countries enjoy.
The point about the public option for electronic ID is that there is a country that has decided that the right to a secure ID is a fundamental right, and on that fundamental right has flourished a digital economy that has helped to create the world’s leading digital society. There are now 3,000 Government e-services and 5,000 private sector e-services that sit on top of that platform. When I met the former Prime Minister of Estonia, he said that the key to winning the argument was that financial institutions such as banks were so confident in the public infrastructure that had been created that they were prepared to go out to the public in Estonia and say, “The public option for an electronic ID is the right option.”
Think about how many different IDs and passwords we have. Think about the complexity and the risk that creates. We have no idea who is using all that data. The point is that if we have a secure regime of trust, it will become possible for a private sector to flourish in a new way. That is why we think having a much more comprehensive bill of digital rights—or a bill of data rights, as we have had to call it to get it in scope—is compelling, and we would like the Government to consider it.
This is not just about the new freedoms that we might want guaranteed by these new rights. There is also the question of the new protections we might want from them.
I had that sense. The key thing about Estonia, aside from the fact that it is a far, far smaller country, is that the register for the digital ID that the right hon. Gentleman is talking about is held centrally by the Government. There is a fundamental difference between this country and Estonia. If he were seriously to propose to citizens in the UK that the Government should hold that central register, I think they would give him pretty short shrift. In his long lecture, will he either make the case for a Government-held central register or acknowledge that it would still be a pretty tough thing to get past the British public?
I am very happy to. I am lucky enough to be able to draw on my extensive experience as the Minister for ID cards in the Labour Government. I will take the hon. Gentleman, in detail, through the architecture I proposed. Well, he asked for it.
The challenge we confronted in about 2006 is that we originally proposed one big database for all the data, including biometric data. That was an error. The architecture I proposed in its stead was a way of connecting three different databases—one that would have basically held Driver and Vehicle Licensing Agency data, a second that would have held the passport services data, and then a couple of identifiers that would have allowed those two records to be indexed and joined together. That brought the cost of the ID card system down by about two thirds.
Although the hon. Member for Boston and Skegness says that the British public would not like Government databases to hold all that information, that happens to be the country they live in. The Passport Office and DVLA hold comprehensive data on most people, and people find that extremely useful.
I was very careful about what I said. What I said was not that we should have compulsory e-ID, but that we should have a public option so people can choose to use it. That is obviously a different regime from Estonia’s, where ID cards have been compulsory since the country was invented about a century ago.
Giving people a public option would be quite attractive. There are, however, important safeguards that we need to learn from. It would be a mistake to have biometric information connected to that kind of service. We do not need biometric information connected to that kind of service. The ID card system in India has gone down that route, and it has suffered pretty significant leaks of biometric data over the past year and a half. If people get their hands on that data, that will be far more dangerous. The Estonian system, in which people have an electronic ID and a password that sits in their head—a two-factor authentication—has proven much more successful.
My broader point is that we should have a debate about the data rights that we, as citizens of this country, should have. Partly, that is about having rights to things that would make our lives better and would allow us to pursue new freedoms, such as the freedom not to have a million and one passwords, which we lose track of. It is also about having certain protections. We have had a useful debate, and will have an even longer one shortly, about the right to be treated fairly by algorithms. That is obviously incredibly important. The Government have given a nod in that direction, so the Minister will probably say a little about their digital charter.
On the different sides of the House, there are different philosophies on rights. The Conservative party traditionally defends rights to do with negative freedoms, and my side often talks the language of positive freedoms—the power to do things, which we think is necessary for social justice. However, I hope that in the months ahead we can have a sensible conversation about what negative and positive freedoms we can crystallise and enshrine in a bill of digital rights. At some point in this century, we shall write that. It is inevitable, because the world will change in a way that requires it, and the citizens of this country will begin to demand it. What we are starting to debate today what will come to pass at some point. I hope to be the Minister who drives it through in the next Labour Government, which is imminent.
I hope, too, that we can debate that idea and help to perfect it. Where regimes of rights have been most effective, they have stood the test of time. For something to stand the test of time, it always helps if there is a little—not too much—cross-party consensus.
The new schedule has a couple of ideas at its core, and we are lucky in having been able to draw on not only the rights literature, but the incredible work of Baroness Kidron. As well as being a talented member of the creative industries, she has been one of the leading champions of the creation of strong digital rights for our children. As we have rehearsed in Committee previously, the issue is fundamental, not marginal. About a third of online users are children. The Government will have, in a way, to step in that direction. They will have to step towards new clauses 5 and 6, and new schedule 1, because they have committed to issuing an age-appropriate design code that will operationalise clause 124. I want to encourage the Government to think creatively about the way they will write the code of practice on age-appropriate design codes, with at least one eye on the broader bill of data and digital rights, which we want to propose.
The 5Rights movement has a couple of important ideas. One is the right to remove: children should be able to remove content that they have uploaded. There are probably members of the Committee who have posted all kinds of unfortunate content in their lives, which they might not want to have there in the future. That is certainly true of many children I know. The right to remove is, I think, widely accepted, and is reflected as one of the ambitions of the Bill.
The second right is the right to know. Children should be able to learn easily the who, what and why—and know for what purposes their data is being exchanged. That is important. The Minister herself has talked about the need to educate online users—to educate us all, so that we become better critical consumers of the content that we find online. That is doubly important for children.
The third right is the right to safety and support. Much of what upsets young people online is not illegal. It is legal. Support is often quite sparse and fragmented. It is often pretty invisible to children and young people when they need it most.
It will be challenging for the Government to turn the right to informed and conscious use into part of the code of practice, but that is incredibly important. It is simply unfortunate that social media firms spend quite so much money, effort and engineering talent on creating features that create a kind of addiction because of the rush of endorphins that they trigger in young people’s minds.
Those technologies, techniques and tricks of the trade are based on exactly the same principles as casino slot machines, and it is quite telling that a number of social media leaders have, over the last six months, gone on the record to say that they will not let their children use the apps that millions of children around the world use. The right to informed and conscious use will be difficult for the Government to interpret, but it is none the less important.
The right to digital literacy is perhaps the most important of all. It is something that our schools already do a terrific job of putting into practice, but what struck me in Estonia is the way that people see the right to internet access as basically a social right. That is surely something that we should debate and put in practice, too.
We have had quite a collection of evidence over the last year from people such as the Children’s Commissioner, who have ridden in behind and supported Baroness Kidron’s 5Rights movement. The Children’s Commissioner recently said:
“The social media giants have simply not done enough to make children aware of what they are signing up to when they install an app or open an account.”
The idea that children can look at these pages and pages of terms and conditions and just click and agree to them is obviously nonsensical. Indeed, the Children’s Commissioner, when reflecting on that, said:
“Children have absolutely no idea that they are giving away the right to privacy or the ownership of their data or the material they post online.”
The Government have obviously sought to exercise their derogation under the GDPR and set the age of consent at 13, rather than 16, so the code of practice that the Minister has agreed to is really important.
We would like this bill of data rights to go alongside more effective mechanisms to ensure that those rights are enforceable. That is why we tabled our amendments to clause 80(2). We think it is impossible in today’s economic environment for ordinary citizens to take effective action against the biggest firms on earth. These five firms have a market capitalisation, although it is slightly less than it was, of about $2.5 trillion, so the idea that a humble citizen can take on some of these giants is nonsensical. We would therefore like this bill of data rights to sit alongside a much more effective, open and democratic form of class action.
I am really interested in the Minister’s observations on the rights we have set out. Article 1 of our proposed new schedule covers equality of treatment, which is enshrined in the GDPR. The GDPR is long—we have made incredible progress through it, article by article—and it is a miracle that we have arrived at page 123 of the Bill by Thursday afternoon, but that is a real testament to the skilful chairing of Mr Hanson and you, Mr Streeter. The principle of equality of treatment is written throughout every clause of the Bill. The point is that it is written through 200 clauses, so we think a basic statement of equality of treatment is a good place to start.
Article 2 covers the right to security, which is the subject of the Bill. Again, let us set that out in terms. Article 3 covers the right to free expression, which is something we have signed up to in articles of the European convention on human rights. It is something that we should set within the context of a bill of data rights. Article 4 covers the right of equality of access. Giving equal access to the digital environment is extremely important. The digital environment creates a network, and network effects mean that the more people joined to it, the greater the value of the network. It is important to specify, set out and declare that we see equality of access to the digital environment as important.
Article 5 sets out the right to privacy, which, again, is scattered throughout the Bill, although we would like to consolidate and crystallise it and bring it together. Article 6 covers ownership and control, which will only grow in importance. This is not the place to get into the vexed debate about who owns the copyright to the data that someone might have and the new data that might be created by joining that data with someone else’s. However, the question of who owns the copyright, and therefore who owns the value of data that is personal in origin, is only going to grow. That debate is almost the 21st century equivalent to that on the enclosure of the commons, frankly. Who owns the copyright of data will become more important as the value of data grows exponentially.
Article 7 talks about the right to fairness when it comes to automated decision making, which we will come to in the debate on algorithmic fairness. Algorithms are making more and more decisions in our lives. People have a right not to be treated unfairly as a result of those decisions. In the phrase used by my hon. Friend the Member for Cambridge, we cannot have a world in which yesterday’s injustice is hard-coded into tomorrow’s injustice. We think that ensuring a right to algorithmic fairness in our bill of data rights is important. The rights to participation, protection and removal are important too.
We have a long tradition of rights in this country; we are the world’s pioneers of them. It is because we have been that pioneer down the centuries that we are today the world’s fifth-biggest economy, but we are not the world’s leading digital society. It is an ambition of the Opposition that we should be, and we think that a bill of digital rights would help us to get there.
I welcome new schedule 1, in the name of my right hon. Friend the Member for Birmingham, Hodge Hill and my hon. Friends the Members for Ogmore and for Sheffield, Heeley. I should declare that I was first on Facebook as a 19-year-old. Now, as a 31-year-old, I can declare that I do not think there is anything on there that I am embarrassed of.
I reserve the right for other hon. Friends to remove content from their social media.
I wanted to refer to the issue of data ownership. When we think of the world in terms of things that we own, there are legal bases for that ownership. We have a legal right to the houses that we buy, once the mortgage has been paid off, and we have a legal right to the clothes that we buy. However, we have no legal right to the ownership of the data about us or the data that we generate. In the context of people making money off the back of it, that feels fundamentally incorrect.
Even the language that we use suggests that the relationship is not balanced. The idea that Facebook is my data controller, and that I am merely its data subject, suggests that the tone of the conversation is incorrect. I support the fundamental principle of ownership, because I think that we need to have a much more fundamental debate about who owns this stuff. Why are people making money off the back of it? If they do things with our property that is against the law, or that incurs us a loss, we should have the right to enforce that principle.
We have seen that not just in the context of the personal data that we might create about the things we like to buy or the TV programmes we like to watch. Sir John Bell, in the report “Life sciences: industrial strategy”, talked about the value of NHS data. We are in a unique position in the world, because of our socialist healthcare system, where we have data for individuals in a large population across many years. That is extremely valuable to organisations and others. We on the Science and Technology Committee are doing reports at the moment on genomics data in the health service and on the regulation of algorithms. I recommend those reports, when they are published, to Members of the Bill Committee.
We need to try to avoid allowing, for example, health companies—I will not name any particular ones—to come into this country, access the data of NHS patients, build and train algorithms, and then take those algorithms to other parts of the world and make enormous profits off the back of them. But for the data that belongs to the British people, those businesses would not be able to make those profits.
I am trying to follow the hon. Gentleman’s train of thought. As I understand it, we have the largest digital economy in the G20—it is 12.4% of our GDP. He and the right hon. Member for Birmingham, Hodge Hill have experience of the industry. You do want to promote technology, as opposed to putting a thumb on it, don’t you?
Then you agree with hon. Members on both sides of the Committee, Mr Streeter. Of course we do, but as we have seen this week with the Cambridge Analytica scandal, rules must be set, and there must be a balance between allowing innovation to flourish and people’s rights not to be harmed in the process.
I agree—that is why I welcome the Bill. I am saying that we ought to go further, which is why I support the new schedule, and having conversations about ownership.
Returning to the issue of health data, I have personal views about how we might tax revenues from platforms in a better way. I welcome the comments made by the Chancellor of the Exchequer, in line with his counterparts in Europe, about looking at how we tax revenues where they are made, not where the company is headquartered. That is a positive move, but surely if all this NHS data is creating profits for other companies and organisations, we can create a situation in which patients also benefit from that, by sharing in the profits that are made and by seeing value redirected into the health service.
Will my hon. Friend reflect on the idea that if someone is genuinely a popular capitalist and believes in the distribution of wealth as the basis of economic growth, then recognising and crystallising the value of personal data is actually pro-growth?
I agree entirely. I confess I never got all the way through my version of Piketty, but the idea of value through assets, as opposed to through the stagnating wages in our economy today, plays into this conversation around data. People from poorer backgrounds may not inherit houses or land, but they create their own data every day. It is an asset that should belong to them. They should be able to share in its value when companies around the world are making enormous profits off the back of it. In this digital age, there is a huge call for equality of opportunity and equality of access. We need to try to get those right in these fundamental understandings of the digital market and the rights that exist around it.
Lastly, I encourage and strengthen my right hon. Friend’s arguments on the application of these principles to children. The Committee has already debated how parental consent is not needed after the age of 13. One of my early jobs as legal counsel at BT was the dubious task of consolidating terms and conditions. Hon. Members who are no doubt happy customers of BT, with perhaps broadband, TV and sport, would originally have had to read five or six different documents that were very long and complicated. I had to consolidate those. That was not good enough, so I commissioned a YouTube star to do a video, which can be seen on the terms and conditions page, to try to explain some of these things. Even for adults, this was a really hard and laborious task.
I am not saying that it is for Government to tell businesses how to communicate to children. Second Reading and some of the Committee’s debates show—dare I say it—that we are probably not best placed to have those conversations. However, it is really important that there is an expectation on businesses that they take steps to ensure that children are properly engaged and really understand what they are signing up to, especially as the Government have opted to go to the minimum range for consent, going to 13.
I just wanted to re-emphasise the debate on ownership and on children. I support my right hon. Friend’s new schedule and new clauses, and I hope the Government will support them.
My response will encompass our digital charter, as the right hon. Member for Birmingham, Hodge Hill mentioned, and I will also answer some of the points he made in his interesting exposition of his rights-based approach. I agree with him: the internet is a powerful force for good, serving humanity and spreading ideas, freedom and opportunity across the world. Yet, as he rightly states, there are considerable trust issues, which can have only worsened in recent days.
I would like to emphasise the point made by my hon. Friend the Member for Gordon that the UK has a strong digital economy accounting for over 12.5% of GDP, which makes us the leading digital economy in the G20.
The right hon. Gentleman was critical of Government sites and services, but we have developed a system that is being taken up by several other countries, including New Zealand, which are adopting our approach to providing Government services online. I am sorry that his experience on the tax side was not great, and there are always exceptions, but on the whole we are leaders in the provision of Government services online.
Citizens rightly want to know that they will be safe and secure online. Tackling these challenges in an effective and responsible way is absolutely critical. The digital charter is our response. It is a rolling programme of work to agree norms and rules for the online world and to put them into practice. In some cases, that will be through shifting expectations of behaviour and resetting a settlement with internet companies. In some cases, we will need to agree completely new standards; in others, we will want to update our laws and regulations. Our starting point is that we expect the same rights and behaviour online as we do offline, with the same ease of enforcement.
The charter’s core purpose is to make the internet work for everyone—for citizens, businesses and society as a whole—and it is based on liberal values. Every country is grappling with these challenges. The right hon. Gentleman suggested last week that the Government are not averse to making declaratory statements of rights and interpreting them into law, but his key example related to human rights. The Human Rights Act provides a detailed and well-considered legislative framework for those rights and ensures that they are meaningful.
When Michael Gove, who is now the Secretary of State for Environment, Food and Rural Affairs, was Secretary of State at the Ministry of Justice, he launched a consultation about an English Bill of Rights, which was about not simply about human rights but a much broader set of rights. I do not think there is a big difference in our approaches to rights. Actually, I think there is a shared approach, as has been recognised down the years.
Yes, much of our approach is shared. The Government decided not to proceed with that Bill of Rights, but the right hon. Gentleman rightly points out that both our parties have a keen interest in this area. However, to set out his proposed bill of data rights in primary legislation would cut across the GDPR. It would impose its own rights of rectification and erasure, its own notion of control and its own obligations on controllers to keep data secure, but, of course, the GDPR already does that, and comparable rights are provided for in the Bill. I am concerned about how the Commission would react to such an attempt to redefine data protection standards. That is one of our main concerns with his new clauses and new schedule, no matter how much we might agree with the sentiments behind them. Given that, and the fact that we are proceeding with our digital charter, I feel that the Bill, in essence, covers this issue, and I need say no more about it.
Our proposed bill of data rights seeks not to redefine but to enshrine, so the rights reflected in the GDPR are no more than enshrined in it. The point is that it would go over and above the rights and obligations set out in this Bill. The right of equal access to the internet, the crystallisation of the right to expression and the advancement of the debate about the right to data ownership are important provisions whose time will come. At some point, due to the way the world is changing, our citizens and constituents will begin to demand both a democratisation of the privileges of this new age and of progress, and the right to effective defences and new protections.
I am glad that the Minister agrees with the sentiment behind the new clause, and I recognise that she perhaps does not see this Bill as the place to consolidate our brilliant ideas into the law of the land. I listened with interest to what she said about a rolling programme of ideas in the digital charter. There is a challenge with that approach: it will end up following the cones hotline model of public service reform. It will not live or sing; it will be bedevilled by voluntary codes, bureaucracy and operational procedures, and it will end up not really making a difference to the world. Our bill of data rights is clear.
If rights are to be a reality, they need not to be a mystery but to be understood. They need to be something that people can talk about in a pub. They need to be something not that is set out in 250 pages of primary legislation but that can be set out on the back of a fag packet. In our bill of data rights, we set out a clear agenda that would make a difference and be easily understood and enforced. It would be an improvement and would take forward the rights and liberties of the citizens of this country.