Sir John Whittingdale
I welcome the Bill. I am delighted that it finally takes advantage of one of the freedoms that has resulted from our leaving the European Union, which I supported at the time and continue to support. As has been indicated, the Bill has had a long gestation. I was the Minister at the time of the issue of the consultation paper in September 2021 and the Bill first appeared a year later. As the Opposition spokesman pointed out, a small hiccup delayed it a bit further.
Our current data protection laws originate almost entirely from the EU and are based on GDPR. Before the adoption of GDPR in 2016, the UK Government opposed parts of it. I recall that the assessment at the time was that, although there were benefits to larger companies, there would be substantial costs for smaller firms and indeed that has been borne out. There was a debate in government about whether we should oppose the GDPR regulation when it was going through the process of the Commission formation. As so often was the case in the EU, we were advised that, if we opposed that, we would lose vital leverage and our ability to influence its development. Whether we were able then to influence its development is arguable, but it was decided that we should not outright oppose it. However, it has always been clear that the one-size-fits-all GDPR that currently is in place imposes significant costs on smaller firms. When we had the consultation in 2021, smaller firms in particular complained about the complexity of GDPR, and the uncertainty and cost that it imposed. Clearly, there was seen to be an opportunity to streamline it—not to remove it, but to make it simpler and more understandable, and to reduce some of the burdens it imposes. We now have that opportunity to diverge.
The other thing that came back from the consultation—I agree with the Opposition Members who have raised this point—was that there is an advantage in the UK’s retaining data adequacy with the EU. It was not taken for granted that we would get data adequacy. A lengthy negotiation with the EU took place before a data adequacy agreement was reached. As part of that process, officials rightly looked at what alternative there would be, should we not be granted data adequacy. It became clear that there are ways around it. Standard contractual clauses and alternative transfer mechanisms would allow companies to continue to exchange data. It would be a little more complicated. They would need to write the clauses into contracts. For that reason, there was clearly a value in having a general data adequacy agreement, but one should not think that the loss of data adequacy would be a complete disaster because, as I say, there are ways around it.
The Government are right to look at additional adequacy agreements with countries outside the EU, because therein lies a great opportunity. The EU has managed to conclude some, but not that many, and the Government have rightly identified a number of target countries where we see benefits from achieving data adequacy agreements. It is perfectly possible for us to diverge to a limited extent from GDPR and still retain adequacy. Notably, the EU recognises New Zealand’s regime as being adequate, even though New Zealand’s data protection laws are different from those of the EU. The fact that we decided to appoint the former New Zealand Information Commissioner as our own Information Commissioner means that he brings a particular degree of knowledge about that, which will be very useful.
In considering data protection law, it is sometimes said that there is a conflict between privacy—the right of consumers to have protection of their data—and the innovation and growth opportunities of technology companies. I do not believe that that is true; the two things have to be integral parts of our data protection laws. If people believe that their privacy is at risk, they will not trust the exchange of data. One problem is that, in general, people read only about the problems that arise, particularly from things such as identity theft, hacks and the loss of data as a result of people leaving memory sticks on phones or of cyber-criminals hacking into large databases and taking all their financial information. All those things are a genuine risk, but they present only one side of the picture and, in general, people reach their view about the importance of data protection according to all the risk, without necessarily seeing the real benefits that come from the free exchange of data. That was perhaps the lesson that covid showed us more than any other: by allowing the exchange of data, it allowed us to develop and research vaccines. We were able to research what worked in terms of prevention and the various measures that could be taken to protect consumers from getting covid. Therefore, covid was the big demonstration of the fact that data exchange can bring real benefits to all consumers. We are just on the threshold—
Further to my right hon. Friend’s point about facilitating a trusted mechanism for sharing data, does he agree that the huge global success of open banking in this country has demonstrated that a trust framework not only makes people much more willing to exchange their data but frees up the economy and creates a world-leading sector at the same time?
Sir John Whittingdale
I agree with my hon. Friend on that. The use of smart data in open banking demonstrates the benefits that can flow from its use, and that example could be replicated in a large number of other sectors to similar benefit. I hope that that will be one benefit that will eventually flow from the changes we are making.
As I say, we are on the threshold of an incredibly exciting time. The use of artificial intelligence and automated decision making will bring real consumer benefits, although, of course, safeguards must be built in. The question of algorithmic bias was looked at by the Centre for Data Ethics and Innovation and there was evidence there. Obviously, we need to take account of that and build in protections against it, but, in general, the opportunities that can flow from making data more easily available are enormous.
I wish to flag up a couple of things. People have long found pop-up banner cookies deeply irritating. They have become self-defeating, because they are so ubiquitous that everybody just presses “yes”. The whole point of them was to acquire informed consent, but that is undermined if everybody is confronted by these things every time they log on to the internet and they automatically press “yes” without properly reading what they are consenting to. Restricting them to cookies that represent intrusive acquisition of data and explaining that to people and requiring consent is clearly an improvement. That will not only make data exchange easier but increase consumer protection, as people will know that they are being asked to give consent because they may choose not to allow their data to be used.
I understand the concerns that have been expressed about the Bill in some areas, particularly about the powers that will be given to the Secretary of State, but this is a complicated area. It is also one where technology is moving very fast. We need flexible legislation to keep up to date with the development of technology, so, to some extent, secondary legislation is probably the right way forward. We will debate these matters in Committee, but, generally, the Bill will help to deliver the Government’s declared intention, which is to make the UK the most successful data-driven technology economy in the world.