Motion made, and Question proposed, That the sitting be now adjourned.—(Mr Goodwill.)
I begin the debate by thanking the new Backbench Business Committee for accepting my submission and agreeing to give parliamentary time to this important subject. As with the election of Members to Select Committees, the Backbench Business Committee is a small step in redressing the balance of power, moving it from the Executive to the legislature. It is therefore appropriate that one of the early Back-Bench debates should be on the subject of civil liberties.
In recent years, we have become increasingly focused on freedom. With every terrorist atrocity, our civil liberties have been curtailed, often in a somewhat draconian manner. I therefore welcome the coalition Government’s determination to redress the balance by reviewing the anti-terrorism legislation, scrapping identity cards, abolishing the national identity register and the contact point database, and halting the next generation of biometric passports. However, I do not wish to talk about state surveillance this afternoon.
I requested this debate because of my concern—and that of many others, including hon. Members here today—about what I term the privatised surveillance society. By that, I mean the surveillance of individual citizens by advanced internet companies; ordinary people have no right of redress, and there is no possible sanction. I will set out what I perceive to be the problem, the reaction thus far of the authorities, and what steps I believe should be taken to deal with it.
My question is this: are we sleepwalking into a privatised surveillance society? How can we stop it? Before I examine the arguments, let me first declare an interest. I am no internet luddite, but rather a passionate advocate for its cause. I blog using Google and Twitter, and I am active on Facebook, where I am lucky enough to have 1,400 friends. In fact, I am an enthusiast for Google products. I run my Commons business using Google Mail; I have Google Sync on my BlackBerry, and I use a Google Android phone. I prefer Google Chrome to Microsoft Explorer. I am a huge believer in the power of the internet to do good, and to be, potentially, a force for democratic development, allowing citizen power at its best.
However, there is a great difference between advancement of the internet and the violation of people’s right to privacy. Private companies seem to have acquired the right to photograph what goes on in people’s gardens. That is a dangerous shift, because if no one has any right to privacy, we will soon be living—dare I say it?—with a privatised version of Big Brother run by some of the internet companies. That is the scenario slowly creeping up on us. I say that because many of my observations today will focus on Google’s activities, such as street-mapping, accessing people’s personal wi-fi addresses, and—as we learned from newspapers and Google’s official blog a few days ago—the harvesting of personal e-mail addresses and passwords.
I acknowledge that Google is by no means the only guilty party. As The Wall Street Journal recently highlighted in a special series, there is a problem with what is termed scraping. Scraping is the process whereby internet companies such as Facebook and MySpace pass on user names and personal information to other companies for commercial purposes, without the consent of the individuals concerned.
The issue of civil liberties and internet privacy first came to a head not long after I was elected to this House in May 2010. The newspapers revealed that Google had been mapping people’s personal wi-fi data without their permission. I found that an astonishing revelation, and subsequently tabled a number of early-day motions. I also wrote to the Information Commissioner’s Office to ask its view on the matter, but I received what I can only term a lamentable response. The clearly standard reply stated:
“The ICO has visited Google’s premises to assess samples of the “payload” data it inadvertently collected. Whilst Google considered it unlikely that it had collected anything other than fragments of content, we wanted to make our own judgment as to the likelihood that significant personal data had been retained and, if so, the extent of any intrusion. The information we saw does not include meaningful personal details that could be linked to an identifiable person...It is unlikely that Google will have captured significant amounts of personal data.”
That raises two issues. First, did Google harvest meaningful personal data without people’s consent? Secondly, did it capture a significant amount of those personal data?
In the view of the UK Information Commissioner, who examined the Google computers, there was nothing to worry about. I have subsequently spoken to the Information Commissioner. His view is that although he would have liked to take stronger action against Google, his office was constrained by the Data Protection Act 1998. Perhaps that is true, but why was it not said at the time? There is nothing in the Information Commissioner’s first announcement about insufficient powers or the constraints of the Data Protection Act. That inertia seems all the more disappointing given that other groups were working hard to protect the British public.
Many privacy campaign groups, such as Big Brother Watch, have raised awareness of the issue in the media. Privacy International complained to the Metropolitan police in London, who opened an investigation into Google under the Regulation of Investigatory Powers Act 2000 and the Wireless Telegraphy Act 2006. Why was that left to private groups and individuals? The Information Commissioner has said that the Data Protection Act prevented further action from being taken, but what was his view of the Regulation of Investigatory Powers Act and the Wireless Telegraphy Act? Why was Google not referred to the police?
The public whitewash was all the more surprising given the actions of many other Governments around the world. In Spain, there is a formal judicial inquiry and the threat of a substantial fine. In South Korea, the police have raided Google’s headquarters. Serious investigations were undertaken in France, Germany, Italy, and Australia. Israel is considering the problem in its 32nd international conference on data protection and privacy commissioners, before Street View has even reached its shores. In Canada, the privacy commissioner has launched a legal inquiry on the basis that Google defied Canada’s privacy laws. In Greece and the Czech Republic, Street View has been banned altogether. In America, Google faces a class action lawsuit over data harvesting, as well as a large-scale investigation backed by 38 states.
Let me return to the critical questions. Did Google harvest meaningful personal data without people’s consent? Did it capture a significant amount of those personal data? A few weeks ago on 14 September, I went to visit the impressive Google headquarters in London and I asked some questions. I stress that the company has always been open to discussion, and courteous when dealing with my concerns. At that meeting, I was given the strong impression that the wi-fi details harvested were basic and did not amount to much. In other words, Google told me that the data were not meaningful, and that they were not collected in significant amounts. It was therefore strange to read what Google’s vice-president of engineering and research, Alan Eustace, wrote on the company’s blog over the weekend. He admitted that his company’s Street View cars captured
“entire e-mails and URLs...as well as passwords”
on a mass scale. He added:
“We want to delete this data as soon as possible”.
We have to take his word for it, but it is hard to do that when, contrary to what the Information Commissioner announced this year, and contrary to what Google said to me in September 2010, meaningful personal data were collected in significant amounts.
The issue is simple: either meaningful personal data were collected in significant amounts, or they were not. In July 2010, we were told that they were not; in October 2010, we were told that they were. I sincerely hope that this House, the Government, and the British public, have not been deliberately misled. I also hope that Google’s U-turn is voluntary, rather than a scenario in which it admitted the truth only because investigations by other Governments gave it no alternative.
As The Daily Telegraph stated on 23 October 2010, Google admitted that it
“downloaded personal data from wireless networks when its fleet of vehicles drove down residential roads taking photographs for its controversial Street View project.
Millions of internet users have potentially been affected.”
Among the information gathered were millions of e-mails, passwords, and the addresses of websites visited by private households. That is unacceptable.
The problem should have been picked up by the Information Commissioner in the first instance. Major questions need to be asked. Why did the Information Commissioner assure the public, the Government and the House that all was well? Why did it take an admission of malpractice on the company’s own blog to trigger a new inquiry by the Information Commissioner?
It is not enough to say that the whole thing was an innocent mistake, as Google has suggested. That was its line when Street View uploaded images of naked children without the consent or knowledge of those involved. It was its line when a Google engineer was able illegally to access children’s private e-mail accounts and telephone records. Google took disciplinary action only after parents complained that the engineer had illegally used Google data to harass four of their children.
I find it hard to believe that a company with the creative genius and originality of Google could map the personal wi-fi details, computer passwords and e-mail addresses of millions of people across the world and not know what it was doing. My feeling is that the data were of use to Google for commercial purposes and that that is why it was done. Of course Google denies that, but for me the question is whether the company underestimated the reaction of the public and many Governments across the world once it was revealed what Google had done.
Even if Google had not harvested oceans of data without anyone’s consent, and even if the Information Commissioner’s Office had not been so lamentable in its response, I would still have concerns about Street View. In many ways, Street View is a brilliant innovation. I am sure that many of us in this Chamber have used it from time to time as a three-dimensional “A to Z”, but street-mapping has been done without anyone’s explicit permission. Millions of houses and gardens are photographed in micro-detail and put on the web. As I mentioned, there were episodes in which Google photographed naked children and uploaded the pictures to the web. Although the pictures were subsequently removed, they should not have been there in the first place. I am sure that hon. Members will have tales to tell of e-mails sent by constituents about similar situations.
One lady from a village in Cornwall e-mailed me about today’s debate. Wanting to remain anonymous, she said:
“The camera must have been elevated to at least 10 feet high to get these shots. I live in a small hamlet, and on Street View it is possible for someone to see right into the rooms of our house. I am so angry at the infringement of our privacy but until now have had no-one to take up the cause.”
I have no problem with Google photographing me in my garden, or my house, and putting those images on the web, but the point is that I want to give Google permission to do so. I want to opt in. Some people will respond that any citizen can walk up a street, taking pictures of people’s houses. Of course that is true, but there is a difference of scale and of commercial interest. Google was not sightseeing; it was creating a product to sell advertising on a mass scale. No private citizen has the millions of pounds or dollars at their disposal to take a detailed picture of every house, street and company in Britain. That makes this case fundamentally different.
I welcome the moves by the German Government to give people a chance to opt out of Street View before the pictures are published. Nearly 250,000 Germans have opted out of Street View. That is roughly 3% of households.
What my hon. Friend has described sounds like a systematic pattern of behaviour, but it is worse than that. It is a systematic pattern of behaviour backed up, frankly, by systematic mendacity on the part of Google, which first says that it happened by accident, then says that it was a mistake and ends up saying, “Well, we will eventually get rid of the data.” Does not that argue to my hon. Friend—he does not have to answer immediately—that we have to take quite firm legal action with respect to people’s rights of privacy and their property rights regarding privacy and with respect to the penalties that ought to face a company as huge as Google, perhaps as a fraction of its turnover?
My right hon. Friend is a great defender of civil liberties and we are lucky to have him at the debate. I agree with him absolutely. Later in my remarks, I shall be able to give a more detailed answer to what he has suggested.
As Germany’s Interior Minister said in September 2010,
“If companies do not adopt satisfactory new rules, we will create more restrictive privacy laws. However, a voluntary code of sufficient strength and scope could make special regulations unnecessary, at least in part.”
In my meeting with Google to discuss Street View, it implied that blackening out houses in a street view would make things look “unseemly”. My answer to that is, so what? If aesthetics are sacrificed in the cause of liberty, that can only be a good thing. This is an important principle. Either our home is our castle or it is not. Google’s actions indicate an all-too-frivolous view of the rights of the individual against the advancement of internet technology.
However, as I stated in my opening remarks, we should not be worried just about Google. There are also reports that BT has been, allegedly, trawling people’s Facebook accounts to check for critical comments about the company. Again, that is totally out of order. There must be a limit to what these companies do. We may accept that, in the present day, most of these internet companies have good and honourable intentions, but we are setting a precedent. If we permit this invasion of privacy today, what might it be used for tomorrow?
A case in point is scraping, which I mentioned. Thanks to The Wall Street Journal, we now learn that the internet has given rise to thousands of data brokers and middlemen. They gather information from property records, social networking sites and telephone listings and by scraping data from websites where people post information about themselves. The point is not that those data are publicly available, but that they are being aggregated on a mass scale in a way that threatens individual privacy.
If we accept that civil liberties are being violated in the way that I have described, we must also acknowledge that something must be done about it. In some ways, what is going on is much more dangerous than state surveillance, because at least the citizen knows his rights and there is some possibility of legal redress. Also, it is possible to sack a Government if we are unhappy with them. We are familiar with the idea that there is a social contract between Government and citizen, but what is the social contract between a citizen and an internet corporation?
Street View affects everyone. Its impact is not limited to Google’s customers. When it comes to internet companies, the question of citizen rights is much murkier and less defined. That grey area has allowed firms such as Google to get away with what they have done. The reality is that a lot of privacy encroachment is going on that has yet to be uncovered.
Returning to the remarks by my right hon. Friend, I believe that there needs to be a robust inquiry, with teeth, into the role of the internet and its relationship to individual liberty.
I congratulate the hon. Gentleman on securing this very important debate and on the eloquent way in which he is presenting his very important case. Does he agree that one of the frightening aspects of all of this is that we depend for information about what is happening and what the companies are up to on the companies themselves? As he pointed out, none of this would come to light unless the information was presented by the companies. Therefore, we do not know exactly what is going on. That is a key point, in terms of people knowing what is happening.
The right hon. Gentleman makes the extremely important point that in some ways we are becoming so dependent on the internet companies that that allows them to do what they are doing. He is exactly right.
I am not against private companies—I am a Conservative, after all. As I mentioned, I use Google a lot to run my parliamentary business, but this time it has gone too far. Indeed, there is a danger that one day, no one will have any privacy whatever—and this time the threat is not from the state.
I accept that, despite what I have described, there are no easy answers. When it comes to the advance of the internet, it seems that the rights and responsibilities are still unclear. I accept that it is very difficult for a nation state to deal with what is in effect a transnational company.
I, too, congratulate my hon. Friend on securing the debate. Does he agree that the problems regarding Google and the invasiveness of the internet arose before the capturing of the information that should not have been caught? One of the groups of people who have suffered as a result is young people and teenagers. A number of suicide sites have been established and information is passed via social networking mediums such as Facebook and other mediums to teenagers, who are particularly vulnerable and have been particularly badly hit by that. Perhaps it is time for us to examine how the internet has operated and invaded people’s lives in an adverse way, and to start talking about some form of regulation that protects individuals.
My hon. Friend makes a good point which, although slightly different from what I am focusing on today, is relevant to the role of the internet. I think she will be pleased to hear what I say later in my remarks.
The time has come for the Government to set up a serious commission of inquiry composed of members who have expertise in civil liberties, the internet and commerce. The commission should suggest a new legal framework to redress the balance, giving citizens an affordable and speedy means of redress.
Perhaps the best means would be an internet Bill of Rights, which would give the citizen some notion of his rights. At first, such an internet Bill of Rights might be a semi-voluntary code, as currently proposed in Europe. The system would be self-regulating, in the same way as the British Medical Association can mediate over doctors’ behaviour, or the Law Society can judge legal practice. If an inquiry finds cases in which a company has infringed upon people’s privacy without their permission, perhaps there could be some sort of fine.
I thank the hon. Gentleman for giving way and for securing this interesting debate. I am interested to hear how he develops some of his points.
The hon. Gentleman keeps talking about companies. Although he touched briefly on the role of the Government, would he not agree that, while infringement by companies is a serious problem, infringement by Governments—which has happened so often, through the former intercept modernisation programme, the Digital Economy Act 2010 and the huge amounts of data held by the Government—is at least as chilling, not least because so much more money and infrastructure back it up? How would he tackle that issue?
I was pleased to serve with my hon. Friend on the Public Bill Committee that considered the abolition of identity cards. He is also a huge defender of civil liberties, and has been so for many years. He is right, and raises an important subject, but one for another debate. Today, I am focusing specifically on the activities of internet companies and their role in curtailing our civil liberties.
I, too, join those congratulating my hon. Friend on orchestrating the debate today.
On regulation, specifically, does my hon. Friend think that there is any merit, or viability, in establishing an industry-wide data security mark of some sort? Is there not a clear commercial incentive for companies such as Google to ensure that they get this right, and to satisfy the general public that they are getting it right? What about a kitemark or some such security apparatus, which would allow the public to see the quality or otherwise of companies such as Google and their security infrastructure? Would my hon. Friend support something such as that?
My hon. Friend is exactly right. It is that sort of thing that I hope the independent commission of inquiry would consider.
Although internet companies are global, nothing would stop the Government from fining their operations in the UK.
I stand before the Chamber known as Robert Halfon. However, if I took the advice of the Google chief executive, Eric Schmidt, I might have changed my name by now. In August, Mr Schmidt suggested that people might have to change their names in order to wipe their personal histories as captured on the internet. His vision for Google is not just to monitor people, but to predict their behaviour. He has said that
“most people don’t want Google to answer their questions. They want Google to tell them what they should be doing next”.
In the future, Google will
“know…who you are…what you care about…who your friends are”.
Mr Schmidt also said:
“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
Therein lies the problem we have been discussing today. It is the nub of the whole subject. For Mr Schmidt and his company, Google, the burden of taking defensive action because of activity by internet companies lies on the individual. In fact, in my view and that of many others, it should be the opposite.
On that very point, would my hon. Friend not accept that it is almost impossible for the individual to take action? We saw that in particular, for example, in 2007, in the what I would call illegal trials by BT of the system of Phorm to identify internet users’ advertising preferences, so that they can be targeted. The individual cannot protect him or herself.
In some ways my hon. Friend is right, but that is why we should have an independent commission and a Bill of Rights, because they would help. We will never be able to stop everything, but we would have some right of redress. It should be up to the internet companies to respect the rights of the individual, not the other way around.
I am calling for an internet Rill of Rights, a proper inquiry and an Information Commissioner who genuinely acts to safeguard our liberties. I hope that hon. Members and the Government will be able to support that.
It is a great privilege to be able to take part in this debate and, again, I congratulate the hon. Member for Harlow (Robert Halfon) on securing it. It is welcome and timely.
I have had an interest in the internet in many areas, politically as well as personally. Any combination of technology, commerce and civil liberties was always going to interest a Liberal science geek such as me.
As someone who is still new to Parliament, I have been shocked by the aversion that some hon. Members have to matters technological. There are a number of constraints on using tablets in the Chamber, and various other archaisms, which I hope, together with many other new Members, that we will be able to change. However, some of the aversion is due to the frustration of getting parliamentary hardware and software to work. Privacy is, though, something that Members should be concerned about, however technologically literate they are. It affects us and our constituents, who use the internet for all sorts of purposes. It affects businesses and how we interact with all those things.
Some first principles have been touched on, such as the balance between openness and transparency on the one hand and privacy on the other. One of the issues is about education—people who use things such as Facebook or Twitter do not understand what they are doing with their information. People giving information about their opinions on BT, available to the outside world and for BT to have a look at, is a perfectly valid choice. However, people should know that that is what they are doing, and they should be choosing to do so, rather than discovering that they have inadvertently done so without thinking about it.
What about a health warning on Twitter? On cigarettes we have “Beware of death” or something. On Twitter we could have “Beware of giving too much information” in a big sign—it has got to be big—or something like that. Do those things exist and I just cannot see them because my eyesight is so poor?
“Excessive twittering may be bad for your future”—the problem would be fitting something into 140 characters. We can run out of space quickly. We need to have some way of educating people on the subject. That involves education in schools and, I am sure, the involvement of websites.
However, I am concerned about the idea of imposing draconian regulations on internet use. There is a balance. We know that it is hard to have regulations, with too many strict controls on what happens and what is done. I was recently with at least one other hon. Member in the Chamber on a trip to China, where we had some interesting discussions about the Chinese efforts to control what can and cannot be done on the internet. I am sure that we do not want to go down similar routes.
As the hon. Member for Harlow has already made clear, we cannot ignore those problems—they are affecting people and are doing so now. However, he did not mention a number of things. For example, the Firefox extension called Firesheep enables users to log into other people’s social networking accounts—I have not used it myself, I hasten to add.
As I mentioned in my intervention, the Government have a critical role. I am even more concerned about the Government’s ability to do such things. While we can argue about which is worse, there is no doubt that the Government should be seen to be leading the way in respecting citizens’ rights.
I was delighted to see in the coalition agreement the commitments to “roll back state intrusion” and “restore our civil liberties”. I suspect that many, if not all, of those in the Chamber today would agree. [Hon. Members: “There are no Labour MPs here.”] There is a Labour MP here—I am sure that he would support the coalition agreement on at least that point.
The welcome words in the agreement have to be matched by actions in Government. There are issues on which we have not done enough to reverse what happened under the previous Government and, in some cases, there is a risk that we will be worse.
The last Government had an extraordinary predilection for hugely costly and intrusive IT projects and policies—I was delighted to serve with the hon. Member for Harlow on the Identity Documents Bill Committee and I was pleased to hear that the only one of the cuts that the right hon. Member for Doncaster North (Edward Miliband) said in an interview that he agreed with was getting rid of identity documents. I am delighted that the Labour party has finally come along to that sensible position.
I turn to a couple of things being driven by the Government that I believe interfere with privacy. The first is the Digital Economy Act 2010. I could talk for the remainder of this debate about some of the controversial aspects of the legislation, but I shall not detain the House as I assume that everyone is aware of the debate and the many issues raised. However, I draw attention to a case that was reported in July this year, after the Act was passed.
A woman received a letter from her internet service provider accusing her of downloading homosexual pornography illegally. That eventually resulted in her discovering that her son was gay. That is not the way that privacy should be broken; we can expect to see many more such cases if provisions of the Act are not substantially altered—or, as I would like to see, abolished. BT and TalkTalk attempted to secure a judicial review, which reveals that even industry heavyweights understand the problems caused by some aspects of the 2010 Act. If the offensive parts of the Act are not repealed, it is essential that they are significantly modified, by legislation or through the Ofcom code, so that ordinary criminal or civil procedures can be used; we already have procedures for dealing with theft.
I hope that the Government will avoid the general trend towards administrative systems laden with Executive involvement. What is the Minister’s current thinking on the 2010 Act? Will the Freedom Bill be able to stand for freedom in this area as well as in others? Will he confirm that the Government will not adopt a position in which internet users will be guilty until proven innocent, as the Act effectively demands?
I could speak about summary care records and the fact that the Government have failed to deliver what I believe was an important promise, and I can give examples of the consequences. Instead, I shall speak about the reported revival of the intercept modernisation programme, although I am sure that it will not be known by that name.
I remind the House that the IMP was an ambitious £2 billion project that would have forced ISPs to log clients’ internet and e-mail activity for at least 12 months. That, I believe, is a great infringement of privacy. Indeed, the coalition agreement explicitly stated that
“we will end the storage of Internet and email records without good reason”.
There is no doubt that we face threats from cyber-terrorism. Malicious breaches of security could cost the Government, businesses and individuals dearly in all sorts of ways. However, that does not give the Government the excuse to use a sledgehammer to crack a nut.
The significance of internet records in dealing with cyber-terrorism and other forms of terrorism requires some attention by the Government. That might be better achieved by service providers having to keep material for a set period rather than creating a vast Government warehouse of such material, or merely relying on how long it is convenient for the companies to keep it to suit their billing records.
Indeed. There are a number of ways to deal with genuine cyber-terror risks. Labour’s proposals certainly were excessive; it took a draconian and over-zealous approach.
I raised the matter yesterday in Prime Minister’s questions. I asked exactly what was happening about the intercept modernisation programme. He assured me that the Government were not planning a centralised database. I suggest that right hon. and hon. Members read exactly what he said. I am trying to give the Prime Minister and the Government the benefit of the doubt, but I am concerned about the careful choice of words. Does it have to be a centralised database to cause problems? Does it have to be a Government database to cause concern?
The original problem was that ISPs were storing the data. Hoping that the Prime Minister was being less than entirely clear, I asked some follow-up questions to establish what is being proposed, given the wording of the strategic defence and security review. The Government have to be better, and they can start by ruling out for good such a costly, over-broad and heavily intrusive approach. A minimal standard for data retention has to be the goal.
I understand that the Home Office is considering that data retention by ISPs should be based on an EU directive. If so, extremely stringent safeguards must be put in place. What discussions has the Minister had with the Home Office on the matter? Will he assure the House that Government intrusion into the privacy of individual internet users would happen only in the event of a serious threat to national security, that it would be regulated by the strictest possible safeguards, and that it would be subject to primary legislation so that Members of Parliament could consider what was proposed?
I am listening with fascination to the hon. Gentleman. He is exactly right in what he says; there will clearly be a need for a severe warrant in order to control what is done with privately held data by agencies of the state. However, that alone will not resolve the problem of having a big centralised database. The creation of a database can itself create a security hazard. A large quantity of data being held, even by one ISP, becomes a target for fraudsters, hackers and terrorists. Does the hon. Gentleman agree that the Government should sort out that problem as well as the others?
The right hon. Gentleman makes an excellent point. Wherever the data are kept, we would have to be most careful about their security. Some people would be interested to see it. For example, I can imagine that a number of people would pay considerable sums to gain access to the web and e-mail records of every Member of Parliament; we saw the excitement on expenses, and I am sure that it would be similar. Data like that must be treated as a great security risk, and that risk counterbalances much of the risk from cyber-attacks about which we hear so much.
I could talk about many other matters, but a number of Government Members wish to speak; the Opposition Benches are somewhat denuded. However, I wish to tell the House that I chair a Liberal Democrat policy working group that is writing a new policy on IT and IP matters, and we would welcome submissions from Members and from people across the country. We shall also be dealing with the party’s proposals on privacy. Indeed, members of the working group could have given a rather more detailed take on many of these matters. We clearly need to avoid the kind of lazy thinking that gives blanket solutions but ignores the need for privacy and liberty, and suggests draconian solutions that cause more problems than they solve.
I hope that my comments and those of others here today will give Ministers and others food for thought and that, together, we can work towards a balanced solution that preserves people’s reasonable privacy expectations.
It is a pleasure to follow the hon. Member for Cambridge (Dr Huppert). He is a self-confessed Liberal scientific geek, but I do not qualify on any of those fronts. It is a particular pleasure to follow my hon. Friend the Member for Harlow (Robert Halfon), and I congratulate him on securing this timely and welcome debate. I agree with almost every word that he had to say. It is especially good to be talking of these matters given that they are so topical.
We live in an age when instant access to information—and, indeed, to people—is the key. Our society has become dependent on getting information at the click of a button. Technology is advancing at a speed of knots, to use an ancient term, and it has helped to advance our economy. However, I am concerned about the potential for legislation quickly to become outdated, as Parliament struggles to keep up with the pace of change in the media market. It is important to have laws in place to protect companies that are making new and ever-evolving equipment, but we should also ensure that the new technologies do not infringe upon our constituents’ right to freedom. I do not advocate a parliamentary legislative research and development department to allow us to keep up with the pace of change, but it is important that the House remains aware of, and reacts to, the growing changes in the technology market.
My hon. Friend expressed concern about the issues highlighted by the media earlier this week and came up with some innovative solutions. I share his concern. It is a sad day when an individual can suffer such an extreme invasion of privacy by a company that is used to enjoying its customers’ trust. I am sure that Google will respond to questions posed by the Information Commissioner, my hon. Friend and others in a timely manner, so that we can get to the bottom of the problem. Sadly, this is not the first time that I have heard of an invasion of privacy being committed through the use of new technology.
I draw attention to what has occurred in my constituency. I do not wish to give the impression that the only company of interest today is Google. However, Milton Keynes has had the misfortune to suffer two instances when the use of Google Street caused me and my constituents great alarm. What happened in the village of Broughton in my constituency ended up making a splash in the nationals back in April 2009. A Google Street car arrived on London road, with the well-documented 360° degree camera on its roof. Villagers were outraged, and formed a human chain to stop the car from moving any further down the road. I was very proud of them. Expressing concern at the invasion of privacy, they requested that the driver stop recording images of their streets. The driver refused. Following intervention with Google, it became apparent that residents could halt publication of the images of their homes only after they had been published online, as has been said. My constituents had to place a request with the company for the images to be removed.
I do not wish to seem clichéd, but the similarities that can be drawn between this invasive style of mapping and an Orwellian thriller are increasing. However, it is not the state that is carrying out this street surveillance, but private companies, and that causes me and many other hon. Members great concern. Big Brother should not be watching us, and especially not a private Big Brother.
As a non-lawyer, I confess that I was surprised to discover that privacy is not a right, but simply a reasonable expectation, as most recently established in the case of Campbell v. MGN Ltd in 2004. Although I understand that, Google’s policy of publishing images that my constituents had requested remain unpublished and removing them only after they were published is simply unacceptable. It is our duty to protect our constituents from such instances, and I would welcome the Minister’s comments on the suggestion from my hon. Friend the Member for Harlow that we have an internet Bill of Rights.
The second problem in my constituency, which involves a women’s refuge in Milton Keynes, was perhaps of even greater concern. Hon. Members will forgive me if I do not go into great detail about the refuge or its location for obvious reasons. The refuge protects women and their families who have run away from abusive home environments. Its anonymity is crucial to the organisation and to the sense of security of the women and children who turn to it in their time of need.
A PO box number is given for correspondence sent to and from the refuge. Only once women have called the emergency number and a pick-up point has been agreed do they find out where the hostel is. Imagine their great concern when, on entering the name of the organisation in Google, they see a picture of the building the refuge uses and its address appears on the search engine. Having requested that Google take down the image and the address, the refuge received no response. It is staggering that the privacy of an organisation whose purpose it is to protect others is allowed be invaded in that way.
Legislation venturing into this topic is a grey area, and this debate allows the House to start discussing it for probably the first time in some time. I acknowledge that a legislative approach would have consequences for freedom of information, but does the Minister accept that, following the situations that occurred in my constituency, and Google’s reluctance to do anything about them, the time has perhaps come for, at the very least, a review of the kind suggested by my hon. Friend?
Many other Members want to speak, so I will make my remarks as brief as I can. I congratulate the hon. Member for Harlow (Robert Halfon) on securing this really important debate. In passing, let me tell him that it is not necessary for many of us to repeat what he said about Google, because I suspect that nearly all of us share a real concern about what has happened. We are particularly concerned that this country seems to be doing significantly less about these issues than almost anywhere else in the world, and we need to do something about that.
I particularly commend the hon. Gentleman on drawing attention to the simple fact that there is a big difference between an ordinary member of the public taking a photograph of somebody’s house and Google taking pictures for Street View. That is because of not just the scale at which Google is operating, which my hon. Friend rightly mentioned, but the purpose. Google is doing this for commercial purposes. I do not know whether my hon. Friend is aware of this, but the latest figures on the value of e-commerce in this country were revealed just today. In a few years, the value of e-commerce has gone from nothing to £100 billion, or 7% of the economy, and we all know that that figure will rise. It is therefore not surprising that Google wants to capture as many data as possible and to use them for commercial purposes. That is why we have to be particularly mindful to ensure that we have the right safeguards in place in the growing e-commerce market.
I was delighted that my hon. Friend drew attention to others who are scraping and gathering data of one sort or another. As has been said, there is a real issue not only about whether they should be allowed to gather data and to use them for some of the purposes that they do, but about security, as we have seen, sadly, on so many occasions with the large collections that are held.
I draw particular attention to ACS:Law. Many people will be aware that that law firm is making money by sending letters to people saying that they have allegedly been involved in illegal file sharing or similar illegal activities on the internet. It then demands about £500 from the recipient. If they fail to provide the money, the firm threatens legal action. As my hon. Friend said, the idea that someone is innocent until proven guilty does not seem to apply for that law firm. However, the real concern is not about the activity that ACS:Law is undertaking, although many of us should be concerned about it, but about the simple fact that it, too, recently managed to get hold of a lot of data from ISPs. The information, which was not encrypted, was sent by e-mail, which it should not have been. Other people then obtained it and used it for inappropriate activities. Even worse, the firm managed to put some of the data on its own website. There are real issues about the security of data.
Another issue, which has not been touched on, although I mentioned it in a brief intervention, relates to the activities of organisations such as Phorm. As many hon. Members know, Phorm was apparently established secretly. BT ran trials in about 2007 to gather details about how people operated on the internet and what sites they looked at, so that information and advertising could be targeted at them. I accept that Phorm claims that it was developing a system that would completely protect the individual and maintain their anonymity. The problem, however, is that there was no evidence that members of the public knew that the trial was happening or that the system would give the protection that the firm claimed it would. I am, once again, saddened that proper investigations have not taken place.
That brings us to the role of the Information Commissioner. I hope that many Members will have listened to what he has to say. I do not want to make accusations about his role, but the difficulty for him and his team is that there is a lack of clarity about where the boundaries of his powers lie. One reason why we need to set up organisational structures to allow us to have the investigation that he proposes is that we need to look, among other things, at his role in dealing with the issues that we are discussing.
Does the hon. Gentleman accept that there is a lack of clarity and that the only way to guarantee clarity is to test those boundaries? It is not enough for the Information Commissioner to stand back and say that he does not know where the boundaries are; he needs to push them and test them, and he will soon find out where they are.
The hon. Lady—indeed, my hon. Friend—is absolutely right to raise that issue. We have heard it argued that one barrier might be data protection legislation, but I have some difficulty understanding why somebody who is there to check out these issues on our behalf is being told that he and his staff cannot do their jobs because of such legislation. It is absolutely right that we have to push at the boundaries in the way that my hon. Friend suggests.
I want to end with a point that has been made by the hon. Member for Harlow and my hon. Friend the Member for Cambridge. I have one criticism of my hon. Friend and I share one area of agreement with him. I find it difficult to accept entirely what he says about the Digital Economy Act 2010. I accept entirely that the provisions of the Act that dealt with illegal web activity included a proposal, which I and my party opposed, that could block websites even before they had done anything illegal, because they might possibly do something illegal in the future. It was a bit like the film “Minority Report” in which someone could be arrested because they might do something in the future. That is nonsense and must go, but if my hon. Friend looks closely at the elements of that Act on illegal file sharing, he will find that it is not true that the idea that someone is innocent until proved guilty is not there.
The staged approach in the legislation—we must have some sort of law to protect intellectual property—is going the right way. I disagree with my hon. Friend about that, but I entirely agree with him about the intercept modernisation programme. I am delighted that he raised it yesterday in the House with the Prime Minister. Many of us are very concerned, for the reasons that he eloquently gave, to think that the programme may still be going forward under the coalition Government. There are those of us who care about privacy and the freedoms of people in this country: the very people who have stood up against the growth in the number of CCTV cameras. It is ludicrous that we have 1% of the entire world’s population and 20% of its CCTV cameras. Is any other evidence needed of the way Big Brother is beginning to operate? We have rolled back some of that effect; we rolled back ID cards and some of the other planned databases of the Labour Government. We must be on the ball in checking what the Government do about the intercept modernisation programme. I congratulate the hon. Member for Harlow on an important debate and desperately hope the Government will listen. I shall be listening particularly to my hon. Friend, the excellent Minister.
I join in congratulating my hon. Friend the Member for Harlow (Robert Halfon) on securing the debate, and the Backbench Business Committee on continuing its programme of ensuring that such topics as this, which need a fuller airing, get one.
I want to take a slightly different angle by focusing briefly on some of the commercial aspects of the matter, and the business models of the leading web property operators that we are mainly concerned with in the debate. It is important to understand the motivation behind some of the issues that have emerged. At the outset I want to make it clear that, like my hon. Friend the Member for Harlow, I am both a user and an admirer of Google, Facebook and similar companies. I am also a capitalist, and I do not think that the pursuit of profit is a bad thing. However, even in free-market liberal democracies—in fact especially in such democracies—we take a legitimate interest in companies’ activities and power, and how those things may act for or against consumers’ true interests.
I do not need to repeat all the ways in which the internet makes the world a better place. In terms of productivity, communication, research, accessibility and so on, it is fair to say that the world has changed dramatically since a great Briton, Tim Berners-Lee, invented the world wide web. In commerce, the web makes markets more efficient by making it easier for buyers to find sellers and vice versa, and search engines, including pay-per-click marketing, play a big role in that. Because of the competitive auction nature of pay per click, there is a natural upward pressure on costs, which over time transfers more value to web intermediaries. Ultimately, of course, that has to be paid for by someone, and that someone—quelle surprise—is the consumer.
Those new costs have been affecting the public sector as well. In the answers to parliamentary questions that I tabled to seven Departments, it turned out that in 2009-10 £5.5m of taxpayers’ money was spent on pay-per-click advertising for the Government. That was an increase of more than 70% on the previous year. Given that much of that went on things such as swine flu awareness, one might question whom exactly the Government were competing against for those search terms, and indeed why search engines needed financial inducement at all to make such information available readily and easily to the general public.
Although we speak generically of search engines, anyone who has worked in online marketing will confirm that in reality there is only one show in town: that show, of course, is Google. If you push them, people know that Google is a commercial enterprise, but in my experience in business and anecdotally people do not tend to think of themselves as customers of Google. They choose to use Google much as they choose to walk down the public street. It is just there; it is what people do. I suggest that, deliberately or otherwise, Google reinforces that image of itself with, for example, its very plain home page, and particularly the term “sponsored links” that appears above its adverts. It makes them sound like some sort of charitable exercise, contributing to the inevitable costs of running a website. Of course they are not sponsored links, but highly targeted advertisements, which are a very big generator of profits.
I am sure that most hon. Members are aware that the formula used to determine placement on a search engine’s page is CPC x CTR. That means the cost-per-click bid multiplied by the click-through rate. Search engine executives will explain that that is the best formula to optimise the user experience and make sure that the content that appears is the most salient. Hon. Members who were particularly sharp at GCSE maths will also have spotted that it is the optimal formula for maximising the profit per available square inch on the screen.
Although Google operates many businesses, it is those adverts that generate the $23bn of global revenue for the company—the vast bulk of its overall sales. Google started life as a technology play, but today—let us be clear—it is a marketing, sales and advertising company. Why is that relevant to privacy? Because knowing more and more about people achieves two things. First, accumulating data and information on more and more things in one place creates—and protects—a position whereby that place is the default place to go to look for stuff. That is ultimately more attractive to advertisers, who pay the bill. Secondly, and even more importantly, it makes better targeting of the adverts possible. That in turn creates even more value for advertisers.
There is nothing wrong with good targeting. Anyone who has worked in marketing will say that trying to understand the customers better is central to the exercise, and people have always done it. Direct marketing, list marketing, or just plain old junk mail have been around an awful long time; and more recently, of course, loyalty cards have helped companies to fine-tune and hone their targeting. However, the internet is a different medium, and it is meant to put people more in control. Given that the issues that we are discussing are relatively new, and certainly not universally understood, there are questions about how consumers want to be targeted for marketing.
In pay-per-click marketing, there is a transition over time from active search, which is what most people associate with Google, when they think about it, towards contextual marketing, and ultimately to behavioural and characteristic marketing. Active search marketing is what happens when people actively search for x. In the search returns, as well as x, they will also get adverts for various other things, and commercial enterprises. Contextual marketing is what happens when people go to a website and all around it are ads for other things that are related to that website, whose content has automatically been worked out. Behavioural and characteristic marketing is not about what someone is looking for or at; it is just about the person. It is targeted marketing based on things about that person that they have themselves explicitly revealed, things that can reasonably be inferred, or things that can be guessed about them from their behaviour—what they have bought, what other websites they have looked at, and so on.
All three types have their place and will often be valued by consumers as well as advertisers. The first sponsored link on a search returns page is often the one the person is looking for, and that saves them looking further. Someone who is looking at a travel agency may well welcome an advertisement for a guidebook to the place they are going to. I do want to be told when tickets become available for a tour by a band I particularly like. I am perfectly happy for Amazon to recommend to me a reading list based on things I have bought from it before. However, there are also important issues to do with protecting consumer sovereignty.
First, there is a question of the use of explicitly revealed information. People who reveal information about themselves on, for example, a social networking site—various hon. Members have mentioned this—may not realise that such details will be used in order to sell to them. They may also not know about the cross-ownership between different web properties, which means that what they reveal on one site may be used by another. There is also the potential for scraping, which was alluded to by my hon. Friend the Member for Harlow.
Secondly, there is a considerably bigger question about information that people have not explicitly revealed about themselves. That may be characteristics, such as where they live and whether they live in a big house, or behaviours, such as the websites they have visited or the television channels they have watched. Web operators will give all sorts of assurances on such points. They have privacy policies and customer charters and say things like, “Don’t be evil.” Then along comes the BT Phorm case, which has been alluded to, or the Google Street View snooping case, and they serve to remind us of the potential that exists.
Indeed, in the case of media that are as dominant and as ubiquitous as some of the web properties that hon. Members have talked about today, I do not believe that relying on individual companies’ privacy policies is sufficient or appropriate. Although we do not want unnecessary regulation or to stifle what is still a very dynamic sector in which this country has a leading role, we need to consider two key things. First, we need to institute explicit rules on the usage of personal revealed information for marketing purposes. For example, it might be standard to have an explicit, active and time-limited opt-in for the use of personal data for marketing purposes. Given the fast-moving nature of the sector, such issues need to be constantly revisited, as my hon. Friend the Member for Milton Keynes North (Mark Lancaster) suggested.
Secondly, we need to bring in seriously punitive fines for the use of non-actively revealed personal data, including behavioural data. That will seriously focus the minds of people who are engaged, or potentially engaged, in such activities and ensure that those abuses never have to be apologised for again. The sort of independent commission and voluntary charter that my hon. Friend the Member for Harlow referred to may well be the ideal route. If not, this is a very legitimate area for Government intervention, and I look forward to hearing what my hon. Friend the Minister has to say on the matter.
I thank my hon. Friend the Member for Harlow (Robert Halfon) for initiating this debate. I should like to draw hon. Members’ attention to my declaration of interest. At heart, I am a libertarian. As a general rule, I abhor state interference. I believe in free markets and feel that Government tend to hinder rather than enhance enterprise and creativity. However, I will argue today that some Government interference and regulation are essential. I am certainly against any information being stored about me without specific consent. That seems obvious and the Government should quickly address the matter through regulation.
My contribution to this debate is to do with intellectual property, piracy, the balancing of civil liberties with individual freedoms, and the protection of copyright holders. In September, I attended a week-long forum organised by the UN on worldwide internet governance. To some hon. Members, that may not seem like a lively and riveting subject, and, to be honest, parts of it were a little dry. None the less, there was some very interesting information to take away. The attendees were from a wide background. They were internet technical specialists, civil servants, pressure groups and so on. Disappointingly, there were few Government Ministers or Members of Parliament from around the world, other than some from east Africa and six from the UK Parliament. The pirate party from Sweden was also represented. That latter inclusion gives a flavour of what the debates tended to centre on.
Many groups were quite rightly concerned about child protection issues. Other than that, however, there was a general feeling that the internet should be totally free and that any regulation should be resisted, especially Government-type controls. However, it is my belief that that is a recipe for disaster. The internet is all-powerful, with an increasing flow of digital information, be it written, musical, on video or pictorial. It is providing for a world economy that is both fast-reacting and, for some, increasingly obscure. Anomalies are already showing up, as we have heard. At the forum, we learned that India does not have a data protection Act, so data stored there are not under the same rules and regulations as they are here.
However, the biggest threat to commerce and innovation is where creative works can become “owned” by users of the internet, rather than those who are creating the works. As we know, file sharing has become rife. At the forum, the prevailing view was that music downloads cannot be stopped, so we should let people get on with it. That is simply nonsense. Certainly, business models need to change so that musicians can recover revenues in different ways, such as on live tours. However, if all creative works are suddenly to be public property, our creative industries are at risk.
It is not simply that the internet, or search engines such as Google, are allowing free access to such work; as my hon. Friend the Member for East Hampshire (Damian Hinds) mentioned, they are a making a profit from such access, and are making money from aggregating other people’s content.
Indeed, and to add to my hon. Friend’s point, the money that is being made is not finding its way to the owners of the creative works. Let me give a quick example from Spain, where there is a free-for-all internet culture. Various leading movie studios are actively considering banning DVD sales in that country. Sales of DVDs fell six times faster in Spain than in the rest of Europe. There were 2.4 billion unauthorised downloads of music and movies, which represents 50 downloads per Spaniard, which is just huge. Unfortunately, the UK is going in the same direction.
There must be reward for inventors and artists to enable those sectors to flourish. We cannot allow the UK music industry to be decimated. I have submitted some parliamentary written questions to discover just how important our overseas earnings from music are to our economy, and to find out how many jobs are involved. I do not need the reply to know that the figure is very high indeed.
The Digital Economy Act 2010, which has been referred to, has started to recognise the problem, and the Gowers report made a firm commitment to protecting copyright owners. However, favourable reports will not save the situation if there is not some control of the internet by a responsible governing body that looks out for the interests of creative individuals. The Digital Economy Act has flaws, and the appeals process is one such flaw. However, what the Act does is enshrine the right of individuals not to have their works stolen. I therefore commend my hon. Friend the Member for Harlow for initiating this debate.
I suspect that we need to talk further about the interpretation of the Digital Economy Act 2010. I am glad that my hon. Friend accepts that it has flaws. Does he not accept that there is already provision in law for people not to have items stolen? There is a huge amount of legislation covering theft, fraud and all sorts of other issues, and my hon. Friend is in danger of saying, “We must do something. This is something. Therefore, we must do this.”
I thank my hon. Friend for making his point. None the less, the view from the UN internet governance forum, which was attended by representatives from around the world, was that the internet cannot be controlled, and so everything should go free. We have heard today that that is simply unacceptable and that there is scope for legislation.
I commend my hon. Friend the Member for Harlow for initiating the debate, and urge all parliamentarians to get behind moves to ensure that our personal freedoms are not eroded by those taking advantage of this rapidly changing medium. They should support legislation and committees and call for proper regulation across the board. They may temper that regulation so that we have only what is necessary, because we do not want strangulation by regulation. It is a difficult line, but one that we must get right—and quickly.
I am grateful to you, Mr Weir, for giving me the opportunity to speak in this important debate on the internet and privacy, and I congratulate my hon. Friend the Member for Harlow (Robert Halfon) on securing it. I want to preface my comments by saying that I am not particularly a civil libertarian, and I believe that the first role of the state and therefore our Government is to protect our population. To do so effectively requires sacrifices in the civil liberties that we would all ideally like to have all the time. For the population in modern Britain to be protected, we must accept that some of our liberties have to be curtailed slightly, or pooled for the greater good. In our liberal democracy, if a person has nothing to hide, they have nothing to fear.
What I am about to say about Google is not in any way a criticism of the industry or individuals within one company. It is an important industry and a major employer in the UK. I am actually a great admirer of Google and have been using its online services, particularly its search engine service, for 12 years or so. The company provides a first class service, and who here has not Googled themselves?
I want to cover the issue of Google’s aforementioned Street View project, which went live in March. The project was undoubtedly a brave and innovative commercial decision. It was a logistical task that is probably on a par with carrying out a population census. It has also been a hugely expensive task for the company. Like my hon. Friend the Member for East Hampshire (Damian Hinds), I am a capitalist and therefore I admire Google’s willingness to take a risk and provide a hugely innovative new online service. However, as my hon. Friend the Member for Harlow stated, there are a number of legitimate concerns about the way that the project was developed and about the regulator’s response to the legitimate concerns of many private citizens about the project.
The main concern is about data capture. As Google’s cars drove around the UK and many other countries, the wi-fi receptors on board captured information being transmitted online over the networks around them. What was captured, how much was captured and from whom is currently unknown and unclear. Encrypted and unencrypted data were captured. Given the number of people affected, it is almost certainly the largest intrusion into privacy ever to happen in this country. The code that enabled the capture of data from unknowing people by Google’s cars as they were driven through neighbourhoods was apparently written in such a form that encrypted data were separated out and dumped, specifically sifting out and storing the vulnerable unencrypted data on Google hard drives. If that is true, that goes well beyond the “mistake” explanation that was given to us by Google. Therefore, the question is whether Google intentionally breached the privacy of many people’s communications.
Does my hon. Friend agree that one of the great things about this debate is that it highlights the need for everyone to secure their wireless networks? I happen to be a software engineer, and I am struck by the fact that using an unencrypted wireless network is equivalent to shouting our personal details on a bus. Does he agree that we should all secure our networks?
Again, I will touch on that issue very shortly. We all go to coffee shops and the like that have unsecure networks, and of course there is an element of choice in doing so. However, people in their private homes need to be aware that it is possible to lock their routers, and people need more education about that option. That is probably a job in the first place for the providers of the broadband services.
I should like to touch on the point about securing networks. To use an analogy, does my hon. Friend agree that, if someone leaves their window open and a burglar comes into their house, it is not the home owner but the burglar who is at fault? If it is being suggested that we should have to block our wi-fi and have special security—whatever that may be—that is, in essence, putting the responsibility on the individual, rather than on the “burglar” in the first place.
Things are not ideal—we live in an imperfect world—but the fact is that people need to be aware that it is possible to lock their wi-fi routers, and they should be encouraged to choose that option. To continue with that very point, the data capture by Google could have been avoided if everyone in the country locked their wireless routers, thereby encrypting their data. But not everyone is aware that it is possible to lock their routers and many businesses, such as the pubs and coffee shops that I mentioned earlier, offer unlocked wi-fi as a service to their customers. We do not encrypt our telephone calls or our post, but we still have a legitimate expectation that others are not prying into them, and indeed doing so is a criminal offence.
Google’s wi-fi intrusion has been brought to the attention of the Information Commissioner’s Office, as we heard earlier. However, the ICO only sent two non-technical staff to Google’s headquarters, which is the heart of what is perhaps the world’s most technologically advanced company. Those non-technical staff then looked at only a small sample of data taken from what Google chose to show them and promptly issued a press release that effectively cleared the company of any wrongdoing, in the middle of a formal police investigation into Google’s actions.
I question whether the regulator acted appropriately in this instance. The ICO now effectively refuses to investigate Google, while its counterparts in countries such as New Zealand, Australia, Canada, Germany, France, the Czech Republic and Italy all pursue the company on the issue of privacy, and the authorities in South Korea physically raided Google’s offices in the country. In addition, 38 US states have united to probe the company’s behaviour and a thumping class action has also been issued in America.
In Britain alone, the relevant commissioner has not taken the severity of the company’s wrongdoing seriously enough. The ICO has really let the British people down in that regard. We deserve better from those who are given the responsibility of protecting our privacy. After all, the Metropolitan police are currently investigating Google over this issue. If the allegations against Google merit an investigation by the police, who have to consider the criminal standard of fault, how is it plausible to say that those allegations do not merit an investigation by the ICO? I also question how sensible it is for the regulator to issue a press release when a Metropolitan police investigation is still under way.
To be fair, Google is hardly the only offender in privacy terms. Other hon. Members have mentioned sites such as Facebook, which I personally use avidly to communicate with more than 1,000 of my constituents. More generally, all the social networking media have privacy issues, but of all the providers and organisations working online, Google is the only one that I know of that has roamed the streets, taking data from the airwaves. That puts them in a special category.
Apart from the seizing of data by Google cars for Street View, like most companies in the online space, Google can generally defend its products when challenged about privacy or intrusiveness by pointing to the implied or explicit consent of users to surrender or generate data that will be retained by the company. However, that does not apply to Street View images, which are of homes whose owners have not consented to having such images shared and of members of the public who have not consented to having their bodies displayed.
In conclusion, this is perhaps the largest invasion of privacy ever to happen in the private sector in the UK. Moreover, it appears that it was only halted after the company involved got caught. So I am pleased that we have been able to debate these issues fully in Westminster Hall today, and once again I congratulate my hon. Friend on securing this important debate.
It has been a real privilege to be here this afternoon to listen to the debate, which has certainly been educational for me. I commend the hon. Member for Harlow (Robert Halfon) for taking the opportunity to initiate this debate and I also commend the Backbench Business Committee for choosing this debate for Westminster Hall. We are at the beginning of a very important process and the hon. Gentleman can take great credit for initiating the debate today.
I particularly want to praise the hon. Gentleman for focusing on the invasion of privacy by private organisations. Although there have been many discussions about personal liberty during the past decade in the context of terrorism legislation, as the hon. Member for Cambridge (Dr Huppert) observed, the focus in those discussions was very much on the position of the state. While that debate has been happening we have paid too little attention to the increase in the collection of information by private organisations. It is very important that we are discussing this issue today. We need to be at the beginning of a process that deals very seriously with what is a difficult and complex issue. I think that that complexity is the main reason why it is only now that the general public is waking up to what is already happening in the internet sector.
The contributions from all Members who have spoken have been very valuable. I want to refer to those contributions, as they deserve further discussion, and I hope that we will discuss them as we take the debate further forward. The hon. Member for Cambridge perhaps concentrated more on the state aspect than any other speaker so far. We had many debates before the last general election on the issues related to the state and I think that today we should concentrate on the issues relating to internet privacy and private organisations. We need to focus on that aspect.
We are talking about who owns the body that collects the data, but for me that is rather the wrong way round. Surely the vital question is this—whose property is information about a person when it is transmitted? I ask that question, because surely that is what we mind; the infringement of information about ourselves being collected, whoever is collecting it. So, let us look at the property rights, but can we change things around and focus on the individual and not on the person or the body that collects information about the individual?
That is helpful. We need to consider the position concerning regulation on the issue. I will come to that later in my remarks.
It might be helpful to refer back to the present position as far as I understand it. It is a complex area, so I might get some things wrong. The Data Protection Act 1998 established principles for the retention of personal data, and the Information Commissioner has had a role in supervising those principles generally. The Information Commissioner has been referred to several times. I certainly agree that he needs to push the boundaries of his powers in protecting the individual’s rights, and I do not think that that has happened sufficiently in the past.
In respect of private marketing, the Privacy and Electronic Communications (EC Directive) Regulations 2003 focused on the sending of unsolicited marketing messages by e-mail, and consultation on the further development of regulations in that area is taking place. The history of regulation is a consistent race between technological development and legislation. One example is the Data Retention (EC Directive) Regulations 2009, which included internet activity in the communications data to be retained for a year by communications providers. All those regulations should be viewed against the backcloth of the Human Rights Act 1998 and its attempt to balance privacy and freedom of speech. Recent developments in the common law on privacy add to the mix, making the legal position even more complex.
It has been said in this debate that in some respects, the United Kingdom has been slower to act on such issues. I believe that part of the reason is that the English legal system does not have the same common law right to privacy that many other countries do. For example, France and Germany have laws specifically to protect individuals from invasions of privacy. I think that most people are surprised by the limitations on enforcement of privacy rights within the UK. The tools that exist in common law are very limited.
We have a difficult balancing act when trying to take matters forward. I was the Minister for Business and Regulatory Reform before the general election and, although it may come as a surprise to some Members here, I always adopt the principle that one should regulate as a last resort, only in pursuit of a particular policy end and where other options are not available. My first reaction to proposals to reform the legislative or regulatory framework is to ask whether we can use some form of self-regulation. I think that we all accept that it is a difficult problem that we need to confront. Can we do so through self-regulation within the industry? Self-regulation would have some advantages. The problem is not, of course, confined to the United Kingdom.
I thank the hon. Gentleman for his thoughtful opening remarks. On the voluntary side of things, that is exactly what I argued. I suggested that we should have a code, in the same way that the British Medical Association has a code for doctors, lawyers have a code and so on. That should be the first course of action, rather than the immediate implementation of state action.
We should certainly consider that approach. However, I was going to conclude that I do not think that it will be sufficient; I think that some other Members have also taken that view. Self-regulation in media organisations has not had a happy time recently in the United Kingdom. The Press Complaints Commission comes immediately to mind; it has failed badly in the News of the World inquiry and case. I am suspicious of over-mighty international media organisations. What happened in that context—there was a regulator and a voluntary regulatory system—could certainly recur in the case of an organisation such as Google, for example, about which we have heard a lot in this debate. Google is a powerful, rich and monopolistic organisation. What happens in a self-regulatory system where the powerful, over-mighty subject ignores the regulator?
Does the hon. Gentleman think that the problems that he is describing are endemic in all large organisations that handle large amounts of personal data, whether they are search engines, mobile phone companies or banks? It takes only a certain number of rogue employees to release for personal gain private information to which they are privy. The steps that a company can take to protect itself from that are serious, but also complex.
Indeed. One problem with a Law Society or BMA model, with respect to the hon. Member for Harlow, is that although that would be an appropriate way to proceed for some of the organisations involved in collecting such information—they are responsible professional organisations and would act responsibly—unfortunately, it would not be appropriate for all. Other organisations might take a much more laissez-faire approach—if I dare use that phrase in the presence of so many Conservatives—and would not deal with the issue responsibly. I am concerned that a self-regulatory system might not be as effective as we would like.
Does the hon. Gentleman not agree that there are many different versions of and variations on self-regulation? For example, the Advertising Standards Authority model is completely different from that of the BMA. Surely it is possible to design a model to have the right amount of independence as well as teeth, so that it gets the respect and compliance that we want.
That may be. We are at the beginning of a debate, and I am setting out my personal views at this juncture. When I conclude, I will agree that we need to examine the matter in more detail, but those are my concerns about a self-regulatory framework. With fines, for example, it is difficult to create an effective system that imposes large financial penalties on companies that do not wish to pay them. If the fines involve hundreds of thousands or even millions of pounds, only the force of law will be sufficient to ensure that the necessary action is taken.
I thank the hon. Gentleman for giving way a second time. He is right about fines, but I think that it is possible. I speak from experience, having worked in the advertising industry. An advertiser that breaks the Advertising Standards Authority code may be forced to withdraw an advert that it might have spent hundreds of thousands of pounds making. That is why self-regulation and enforcement of the code are effective in the advertising industry. In the case of the Press Complaints Commission, by contrast, a slap on the wrist or an article in a newspaper is a small price to pay.
That may be the case. We can discuss it as the conversation continues beyond this debate. The hon. Member for Wycombe (Steve Baker), who is no longer in his place—he seems to have disappeared—pointed out a moment ago that information belongs to the individuals who give it in the first place. That is a strong point.
Part of the problem with the issue is that when people use their computers—this certainly applies to me; I am not a geek of the type described by the hon. Member for Cambridge—it does not always occur to them that they are passing on to a third party which books they like or what articles they are interested in. I think that most people are in that position. They concentrate on what they are using the internet for, and it is incidental to them that that information is being secured by a third party. I think that they would be shocked to learn that it was being traded for marketing purposes. The difficulty is that that process is already happening, because people are using the internet and have been for such a long time.
Is what my hon. Friend has just described not simply a corollary? Someone goes along with their credit card to buy a product and the information is known to Experian, which sells that information. Is it not just a case of people transferring their behaviours online? We are talking about the same stuff. We should perhaps not be too afraid of the fact we are behaving the same way on the internet as we would otherwise behave with our credit cards.
I am delighted that my hon. Friend is here; he is absolutely right. I feel slightly uneasy about such marketing—perhaps I am old-fashioned in that regard. What my hon. Friend mentioned is another reason to go wider in dealing with the matter. Rather than simply focusing on the internet, we need to consider how information about individuals is collected and used by third-party organisations. The primary purpose of, for example, a credit card is to buy something, not to give information to a third party. I think that someone said earlier that we need to educate the general public much more about the use of information, what is involved in the use of the internet and what information is being given to third parties. That is extremely important.
It is crucial that we give intense consideration to where we are. We need to consult widely with the industry, the internet service providers, the internet companies and the general public about how we deal with this difficult problem. People need to know much more about the scale of the information they are retaining and why it is being retained. I was slightly surprised by the hon. Member for Harlow talking about the extent of the information that Google has and the fact it has not given it to third parties. Why is it retaining that information, particularly when it seems to be very valuable? The exposition on marketing from the hon. Member for East Hampshire (Damian Hinds) was very useful in that regard. The hon. Member for Bath (Mr Foster) said that the value of the internet is £100 billion in the UK, so we are talking about massive stakes.
What has come out of the debate is that we need to have a very wide discussion and recognise that private organisations must be scrutinised in exactly the same way and to the same extent as governmental organisations. We have got ourselves into a very serious situation. We have heard about different approaches from hon. Members today and, although shades of different views have been expressed this afternoon, there is recognition across the House that we need to get to grips with the issue. We are not talking about a partisan matter in the same way that some civil liberty issues have been partisan in the past decade.
We have made a very good start on dealing with the matter today, but we need to make further progress. The type of commission that the hon. Member for Harlow mentioned would be a good start, but we must ensure that it consults as widely as possible. An important role of that commission should be to publicise to individuals not just in the UK, but across the world the extent of the information concerning them that is being obtained by these very large—in many cases, multinational—companies.
Collectively, we can deal with the issue. It may be that we can do so through some form of self-regulation. That has the advantage of being applicable across the world, if we can get the biggest companies to buy into such a system. If we cannot do that, it will be a very serious matter. The privacy and liberties of individuals are extremely important and, if required, we need to put in place a system of legislation to ensure that their rights are protected.
It is a pleasure to serve under your chairmanship this afternoon, Mr Weir. I was going to begin by saying that today’s debate was no time for clichés but that I felt the hand of history on my shoulder, because I was under the impression that this was the first Backbench Business Committee debate. In fact, it is the first such debate in Westminster Hall—there have, of course, been three previous Backbench Business Committee debates in the Chamber.
However, I will stick with the cliché that the hand of history is on my shoulder as I congratulate my hon. Friend the Member for Harlow (Robert Halfon) on initiating this important debate, because I think it is one of the few times that Parliament has debated properly this important aspect of the internet—that is, how it affects people’s privacy. I suspect that the issue was raised when the Digital Economy Bill was debated at length in the other place—it was debated only briefly in the House of Commons. There have been few, if any, debates on this important issue, which touches almost everyone’s life, or at least those who go online.
Let me begin by setting out a few principles and general thoughts and approaches, before I talk specifically about the Government’s approach to privacy on the internet. On the spectrum of opinion within the coalition, I should say that I am firmly on the civil libertarian wing of the Conservative and Liberal Democrat party. I believe that one of Government’s watchwords should be “Protect individuals’ freedoms.” I campaigned strongly against identity cards, and I believe that the state should not intrude in people’s lives, and should protect the freedoms of individuals when others seek to do so.
I also remain personally concerned about the very serious breaches of people’s privacy on the internet. Many such breaches are unintentional and very few are brokered by internet-based organisations and companies. They are mostly down to the bad behaviour of individuals who would, no doubt, behave badly whether the internet existed or not. A story in The Sun today refers to a lady, Carolyn Owlett, who had her Facebook identity stolen and the serious consequences that had for her. The story is effectively about an unpleasant individual—not Ms Owlett, I hasten to add, but the woman who stole her identity—who used the internet as a tool with which to make someone else’s life a misery. However, that story does not necessarily reflect badly on Facebook. I will come back to the possible remedies for such a situation.
It is important to put the debate in context. We are right to be concerned about the effect of the internet on privacy, but we should also remember that one of the reasons it is having such an impact is that so many of us voluntarily use it. There was a vigorous debate about Facebook’s privacy settings, and that was perfectly legitimate. However, we should remember that the reason Facebook is a big company that knows a lot about many of its users is that almost half the population of this country are members of Facebook, as are more than 500 million people worldwide.
Picking up on the useful intervention of the hon. Member for Falkirk (Eric Joyce) and the illuminating marketing seminar given by my hon. Friend the Member for East Hampshire (Damian Hinds), we should remember that, when it comes to data harvesting, personal data have always been collected by commercial companies to enable them to sell products. I do not have a Tesco clubcard, but those who do are in effect given that card so that Tesco can monitor their spending habits and sell them more products.
I thank my hon. Friend for his opening remarks. Picking up on the credit card issue, when people get credit cards, they receive a clear letter inviting them to tick boxes to say whether they want their data to be passed on to other people. The point of my debate has been to say that, first, the scale of what is happening on the internet is much greater and, secondly, the individual is given no option to tick such a box.
My hon. Friend has raised two very important points that encapsulate the two principles behind the debate, which is unsurprising, given that he secured it. First, the internet is an enormous step change in the collection of personal data. What are the implications of that? Secondly, given that enormous step change, what rights—I use the word advisedly—should consumers have to protect their personal data when they interact with organisations on the internet?
Another general point about internet regulation is that a consistent approach to it is rarely adopted. It is always interesting to see those who want the internet to be regulated and those who do not. The hon. Member for Cambridge (Dr Huppert), who made a useful speech attacking the Digital Economy Act 2010, does not want the internet to be regulated when it comes to combating illegal file sharing, but he does want it regulated when it comes to protecting personal data. He kindly let me know that he would have to leave the debate at 4 o’clock to attend an event that he is hosting. He is very knowledgeable on the subject, and I hope that he will be prepared to share with me—an erstwhile colleague—the findings of the Liberal Democrat policy group on that issue, which will be an extremely useful contribution to the debate.
I hope that my hon. Friend the Member for Cambridge (Dr Huppert) will share that information not only with the Minister, but with me; that is proving a little difficult at the moment. On a more serious note, I say to the Minister that one problem we all have in the debate is recognising that a balance has to be struck; we want to protect people’s privacy on the one hand, and their livelihoods on the other. That is the difficulty, and it is probably one with which my hon. Friend the Member for Cambridge is still struggling.
I hear what the hon. Gentleman says; when a senior Liberal Democrat comments that a junior Liberal Democrat is struggling with an issue, the junior Liberal Democrat should certainly take note of his colleague’s experience in the matter. The hon. Member for Bath (Mr Foster) made an incredibly useful contribution to the debate, as he always does, and mentioned the report published today by the Boston Consulting Group, which might have been commissioned by Google. The report estimated that in the UK alone, the internet economy is worth £100 billion. He was right to point out that a balance has to be struck between how we regulate the internet and protect personal privacy online on the one hand, and the fact that it is now an incredibly important economic force on the other. One of the reasons for its economic importance is that it has had the freedom to develop and businesses have had the freedom to establish themselves online.
We should make no mistake that the internet is regulated, a point that I make time and again. There sometimes seems to be a lazy assumption that what happens on the internet is beyond the law. That is absolutely not the case; illegal activity is still illegal, whether or not it takes place online. Indeed, we have a sophisticated and comprehensive regulatory framework that is intended to protect the individual, both offline and online. Matters of online privacy are regulated through the Data Protection Act 1998 and the Privacy and Electronic Communication (EC Directive) Regulations 2003, not to mention the Freedom of Information Act 2000 and the Environmental Information Regulations 2004. Much of that is enforced through the Information Commissioner’s Office, which is responsible for upholding information rights, promoting openness by public bodies and enforcing data protection rights for individuals. Where a breach of those laws amounts to a criminal offence, appropriate enforcement action can be taken, either by the police or the Information Commissioner.
We all recognise, however, that there are practical differences between the online world and the physical world, which can cause difficulties for individuals and companies. My hon. Friend the Member for Harlow suggested that perhaps the time has come for an internet Bill of Rights, and I hear what he says. The Information Commissioner has published a code of practice on the collection of personal information online, and I have a copy here. It is 36 pages long and densely printed—I do not think the commissioner has worked in public relations—so I am not sure that it is being read in the Dog and Duck, but at least the detail exists. The commissioner would do well to meet my hon. Friend to discuss how the code of practice could be promoted and whether it meets some of the concerns that his proposed internet Bill of Rights would seek to address.
The code of practice sets down detailed guidance for public and private sector organisations operating online. It covers topics such as online marketing, cloud computing, the protection of young people online and, of course, privacy settings. The document is not set in aspic, and we continue to debate with a range of stakeholders how we can improve privacy online and other concerns. Only yesterday, the Department for Business, Innovation and Skills held a meeting with more than 100 stakeholders from across the sectors, including consumer interest groups and Consumer Focus, to discuss that issue. The ICO, as well as publishing the guidance, expects organisations to recognise that online processing brings with it new risks to individuals and that the mitigation of those risks requires careful consideration of privacy impacts before products and services are launched.
I want to take that further and to see businesses signing up openly to the ICO’s code of practice to demonstrate to their users that their services adhere to the highest standards. I cannot remember who asked, in an intervention, whether some sort of kitemark might be useful for internet sites. If an internet company signs up to the code of practice and adheres to it, I think that that information should be clearly displayed on their home page for the reassurance of consumers. Indeed, a link to that code of practice might be provided—not necessarily 36 pages of dense text, but an easy-to-read summary that aids the consumer in understanding privacy implications.
One of the difficulties with kitemarks on the internet is that one often has to go to a particular site to obtain certain information, and if one leaves a site that does not have a kitemark, one does not get any information. Although the kitemark is a good idea in principle, it would have to be exhaustively followed in order to succeed.
I understand the hon. Gentleman’s point, but I want to see self-regulation and voluntary action by organisations on the internet. That is a theme that I want to develop in my speech—I have only one hour and 10 minutes remaining, so I will try to speed up a bit. We have a code of practice that many companies say they adhere to, so that information should be made available to consumers. Critical momentum could be built up if more well-known and legitimate websites signed up to the code, made that plain on their home pages and allowed consumers to see what that code states.
Does the Minister agree that the Information Commissioner’s 36-page document is challenged, in terms of length and density, only by the typical set of terms and conditions found on most websites? One baby step, perhaps as an interim stage towards the developments that we all want to see, might be to encourage all websites to produce a much simpler version of their terms and conditions—perhaps only half a page, explaining in clear English the sorts of uses to which their data will be put.
I could not agree more with my hon. Friend. I used to be a lawyer; he used to be a marketer. Marketers are far more useful to society than lawyers. The trouble is that the terms and conditions are written by lawyers who want to cross every t and dot every i to protect their own back in every eventuality. What the consumer wants are easy-to-understand guidelines. That is something that I want to look at with the major internet service providers and websites. I shall expand on that point later in my remarks, probably at about 10 minutes past 5.
The Information Commissioner’s enforcement powers under the Data Protection Act 1998 and the Privacy and Electronic Communication (EC Directive) Regulations 2003 include the issuing of information notices to request information so that he can establish whether legislation is being complied with by an organisation. He can issue enforcement notices if he is satisfied that a data controller—that is, a website—has contravened or is contravening the legislation, for example by failing to process data fairly and lawfully. In addition, the Information Commissioner can issue a civil monetary penalty of up to £500,000 for serious breaches of the Act, although that power only came into force in April 2010. That is an important point, given that I am about to speak about Google Street View and the controversy that surrounds it.
My hon. Friend the Member for Harlow made it clear that part of his reason for calling this debate was to discuss Google Street View and the harvesting of data. Although my hon. Friend the Member for Dudley South (Chris Kelly) is not a civil libertarian, he pointed out that that was possibly the greatest breach of privacy in the history of this country, given the huge amount of data that were collected, although I am not sure that it ranked with the two CDs that went missing from the Inland Revenue.
I am able to update the House on the position. The ICO learned from Google in May that, in addition to the mapping exercise that it was supposed to be undertaking, its Street View cars had unintentionally collected payload data from unsecured wi-fi installations as they passed. It is the Information Commissioner’s job to consider whether in such circumstances there has been a breach of the law. He has been considering the issue and, importantly, has been discussing it with information commissioners in many other countries, including Canada, which my hon. Friend the Member for Dudley South mentioned.
Given that Google reported the breach, the best practice at that point would have been to delete all the data. However, as the Metropolitan police were considering whether the breach warranted an investigation, the data have been kept for evidential purposes. I understand that the police have decided that it would not be appropriate to launch a criminal investigation, so I will meet the Information Commissioner next week to discuss what next step he intends to take in respect of the data, and Google’s breach of data protection. I do not want to pre-empt what the Information Commissioner will decide to do, but normally he would work with the organisation that has committed the breach and put in place mechanisms to ensure that it does not happen again. What is clear is that the Information Commissioner does not have the power to levy a fine because, as I said earlier, that power did not come in until earlier this year.
It is interesting to note that the Federal Trade Commission, which has also been investigating Google’s breach, issued a letter yesterday pointing out that it, too, will not pursue Google on the matter on the basis that, in a series of public round-table events that the FTC hosted during the summer of 2010,
“Google has recently announced improvements to its internal processes to address some of the concerns raised”,
“appointing a director of privacy for engineering and product management; adding core privacy training for key employees; and incorporating a formal privacy review process into the design phases of new initiatives. The company also publicly stated its intention to delete the…data as soon as possible”,
and gave assurances that none of the data would be used
“in any Google product or service, now or in the future.”
The other lesson that should be learned from what happened with Street View is that we are in uncharted territory. As the small smart cars with large cameras appeared in our streets, little action was taken by anyone. We took it in our stride—well, my hon. Friend the Member for Milton Keynes North (Mark Lancaster) reminded us that his constituents took action by blockading one of the cars.
My recommendation is that when an organisation undertakes an exercise of that kind in the future, the ICO should put in place ground rules and discuss with it what measures will be taken, so that the organisation does not inadvertently breach data protection rules. I certainly think that if an organisation such as Google decides in the future to undertake a harvesting procedure of that kind, that is what the Information Commissioner should do.
Hon. Members also raised concerns about companies that search the web looking for adverse comments made by customers or staff members on blogs or social networking sites. My hon. Friend the Member for Harlow said that that was out of order. With the greatest respect, I would say to him that that is possibly an example of where we seem to believe that doing something on the internet is wrong when doing something like it offline would be acceptable.
For example, people post comments online. When they do that, they put them into a public space, if they decide not to put in place any privacy settings. They have to comply with the law in the United Kingdom as it stands—the comments cannot be defamatory. This is a matter of judgment for the individual company in terms of its reputation and relationships with its employees and customers, but there is nothing technically wrong in searching websites to see what comments have been made about an organisation. Indeed, as my hon. Friend the Member for Dudley South said, almost poetically, which one of us has not entered their own name in a Google search?
What my hon. Friend is missing is that it is not just basic things that are being scraped. People’s passwords, user names and e-mail addresses are being passed on to companies without permission, but when people go on to such sites, they are not made aware that that will be done.
That is a separate point. The point I am making is that if companies decide to search the web to see what people are saying about them online, that is a perfectly legitimate exercise, although there may be a different point in respect of their reputation. What my hon. Friend says about the use of people’s data without their knowledge is important, and I will come on to it, but although I now have an hour left to speak, I have been passed a note by my official which says that I need to speak for only 20 minutes. That gives a flavour of how well this speech is being received, at least in official terms.
This is totally different from searching online in case anyone said anything. Companies are going into people’s private accounts. It is exactly the same as someone going into another person’s house without permission to check whether they are doing something. They are going into people’s private accounts, which is different from just a general search.
Given that the Minister is talking about the importance of freedom, openness and so on, could he make available to all Members a copy of the note he just received so we can have a word with his official and point out that the Minister does not need to speak for 20 minutes?
I think that that would be a breach of my official’s privacy.
I shall turn briefly to Facebook and the consumer’s right to privacy. As I have already talked about the personal information online code of practice, hon. Members will be aware that there was great controversy earlier in the year about Facebook, because its privacy settings were seen as unclear. Its default settings put one in the public space as opposed to the private space, so, suddenly, one had to opt out of rather than into that sphere. I am delighted to say that Facebook has been working closely with colleagues at the Department for Education and is now a member of the UK Council for Child Internet Safety, as is Google and BlackBerry. As such, it follows the good practice guidance—produced to guide companies that provide internet services popular with children and young people—about what additional safeguards it can put in place to protect children online and provide a positive online experience. The guidance includes advice on companies’ obligations to ensure the privacy of their users’ information and on options and settings they can provide users to protect privacy further, and it recommends making information on safety and privacy easily accessible to users, so they understand the privacy options available. The UKCCIS continues to work with companies providing internet services used by children, including Facebook, to improve safeguards, including safeguarding their privacy.
On scraping and cookies, as I am sure hon. Members are aware, a cookie is a piece of text stored by a user’s web browser. There are many uses for cookies, including authentication, storing site preferences and shopping cart contents and as the identifier for a server-based session. Cookies are also used to speed up the user’s web browser as they help to remember the settings and options used the last time a website or page was visited. They have been a hot topic for some time. At the moment, information obtained through cookies can be used to categorise users’ internet interests to serve adverts that match broad interest categories, though the user should be able to refuse the import of cookies on to their machines. Clearly, that has commercial benefits, and, indeed, benefits to the individual—we should not be shy about saying that, and my hon. Friend the Member for East Hampshire was clear about the benefits of targeted marketing to individuals. However, organisations have to ensure that users are aware that they are collecting such information and know why.
The revised e-privacy directive will give users greater control by requiring organisations to get their agreement before the information is collected.
In terms of the UK Council for Child Internet Safety, I think that the issue needs to be addressed. As a matter of principle, we all accept that children deserve greater protection than adults do, whether offline or when accessing content online. We will continue to look at that.
Let us make no bones about it. As the hon. Member for Bath made clear, the key issue is not necessarily the harvesting of data on shopping habits, but the harvesting of data without consent or knowledge. There are some who say for example that Phorm, the company with which BT carried out an experiment, was providing a perfectly legitimate commercial service in allowing organisations to monetise their presence on the web by targeting adverts at certain consumers; if a consumer is particularly interested in a type of car, that advert could appear on screen while they are reading a web page. The website—for example, The Guardian or The Observer—could charge more for that advertisement and, therefore, monetise its online content. That is a legitimate argument, but huge concern was generated because there was no transparency. It was done without consumers’ knowledge and it was unknown what would happen to the data once they were collected or whether they would be transferred to third parties. At the heart of the debate is, above all, transparency over what data organisations harvest and the opportunity for the consumer to choose to opt in.
Does the Minister agree that such an opt-in must be an active opt-in? The ability not to have cookies exists on just about everybody’s computer, but how many people understand it? It is a different proposition to have to say, “Yes, I want to be marketed at; I want people to know my preferences.”
That is an important part of the debate. I shall talk later about the regulatory framework on e-privacy on which we are consulting, and it will be interesting to see the public’s response. There is certainly a strong argument that the consumer should not only be able to opt in, but know about their right to do so.
We are implementing changes to the e-privacy directive that strengthen privacy regulations in the online world, as part of our implementation of the European framework on electronic communications. We are consulting on those proposals, which could lead to changes to the privacy and electronic communications regulations and strengthen the Information Commissioner’s enforcement powers.
The directive has three key elements. First, effective, proportionate and dissuasive penalties will be introduced for any infringement of the directive’s provisions. Secondly, as part of the implementation of the revised e-privacy directive, we are also consulting on notification procedures for personal data breaches. We propose to ensure that the ICO issues guidance on any change to that notification mechanism and that the guidance will be the subject of a future consultation by the Information Commissioner. Thirdly, other changes to the e-privacy directive address problems with cookies, including any attempt to store information or gain access to stored information in a user’s equipment—using cookies—by requiring the informed consent of the user.
The provision covers legitimate practices that enable the use of many popular websites as well as illegitimate practices, such as spyware and viruses, which are also addressed in other legislation. The Government’s consultation on the implementation of the changes closes in December, and we will publish our response in spring 2011. The new measures will come into force on 26 May 2011.
Implementation of the electronic communications framework is not the only change that we are considering. Following the Lisbon treaty, as well as repeated calls to update the EU’s data protection directive, we expect the European Commission to publish a draft comprehensive instrument for data protection in mid-2011. The new instrument may cover all activities within the scope of European Union law. To inform the UK’s position for those forthcoming negotiations, the Ministry of Justice carried out a call for evidence for three months this summer to gain views on how the current legislative framework is working. Taken as a whole, those changes will usefully strengthen the regulatory framework governing privacy on the internet and will tackle some of the concerns expressed today.
As hon. Members have indicated throughout, there is a fundamental debate about the nature and scope of regulation. Business and the individual have a role to play in ensuring that both users and businesses are aware of their rights and responsibilities online. There is huge scope for self-regulation. The Internet Advertising Bureau has shown how industry can learn from consumer reaction and respond to consumers’ concerns by developing good practice principles. It has developed a website—www.youronlinechoices.co.uk—dedicated to informing consumers about behavioural advertising and offering a simple opt-out mechanism, which it proposed in March 2009, and this country’s advertising industry was the first in Europe to come up with a self-regulatory practice.
Discussions continue to take place between industry bodies at European level. Clearly, greater consumer awareness will help to address many of the concerns raised today and, with the Information Commissioner and industry, we will help with that in so far as is practicable.
I have spoken for almost 40 minutes, so it is time to draw my comments to a close. As a result of this debate and the thinking that went into preparing my comments, I intend to write to the major ISPs and websites, such as Google and Facebook, asking for a meeting. I want to discuss with them not just the general issue of people being aware of what data they may inadvertently be making available online, but the opportunity for redress.
I was struck by the comment from my hon. Friend the Member for Milton Keynes North about the women’s refuge centre whose address was put online, and it was then unable to persuade the organisation that was carrying that information to remove it. That organisation had not deliberately put the information online; it was simply the vehicle on which the information was available. There may be all sorts of reasons why it was difficult to take that information down. It may be that having taken it down, the address simply popped up again elsewhere, but the fact that no meeting or dialogue could take place worries me greatly. I suspect that most hon. Members in the Chamber have had conversations with constituents who have seen information about them online and have simply not known where to turn.
Nominet, the charity that is responsible for internet domain names, runs an extremely effective mediation service, so that people who are disputing the ownership of an internet domain name may be involved in a low-cost process to discuss how to resolve that dispute. It is certainly worth the Government brokering a conversation with the internet industry about setting up a mediation service for consumers who have legitimate concerns that their privacy has been breached or that online information about them is inaccurate or constitutes a gross invasion of their privacy to discuss whether there is any way to remove access to that information. I am sure that many internet companies will say that that is almost impossible, but when one hears stories such as that told by my hon. Friend the Member for Milton Keynes North, one wants at least to attempt to give consumers some opportunity to have a dialogue with internet companies, as they would be able to do if a newspaper had inadvertently published that information.
I hope that hon. Members have found my comments helpful and that I have been able to put into context what is happening with Google’s breach of data on Street View. I have set out my thoughts about personal remarks on the internet, establishing the regulatory regime for cookies and setting out the process that the Government are undertaking to strengthen privacy regulations on the internet alongside our European partners.
I thank my hon. Friends and Opposition Members for attending this debate. Their comments have shown a wide depth of knowledge and real concern about the subject. In particular, I thank the hon. Member for Wrexham (Ian Lucas), the Opposition spokesman, for his response, which was far from party political and very thoughtful. I thank the Minister for his reply, and I welcome some of his comments and particularly his decision to have a conversation with the Information Commissioner about future matters if anything like Street View happens again.
There is consensus that we are living in a privatised surveillance society and that no one quite knows what is happening, what internet companies are doing and what our rights are. I differ from the Minister in his view of the Information Commissioner’s Office’s 36-page compact. Its response thus far is more like Sir Humphrey than a shark with teeth, which is what it should be. Our data were taken away by internet companies; the ICO thought that nothing need be done about it; and only when it emerged a few days ago that our e-mails had been taken was it decided to open a new inquiry. The 36-page compact reminds me of the old 100-page constitution of the Soviet Union, which told everyone how free, wonderful and democratic the Soviet Union was. In reality, if there is a 36-page compact, it is certainly not working.
To return to the point that the Minister made about my hon. Friend the Member for Milton Keynes North (Mark Lancaster), it is great that he will hold a meeting to try to stop the problem, but it should not have happened in the first place. The whole point of my argument is that people should have been given a choice in whether their properties were put on Street View. We have not addressed that concern today, although I welcome some of what the Minister said will happen in the European Community and its various directives.
We need an independent commission because, whether we have a compact or not, things are clearly not working. Millions of people, not just in our country but throughout the world, feel deep unease and anxiety at the advance of internet companies and about our individual rights. That commission should be composed of experts, and it should analyse and examine the problem and come up with some solutions. We have a compact, but if that commission summarised those concerns into a Bill of Rights and could work out some sanctions on internet companies, that would be a small step forward.
Question put and agreed to.