Lord Bethell was Minister for Innovation at the Department of Health and Social Care during the pandemic.
Our data use is skyrocketing. Every day our phones and other devices record 181 zettabytes of data on our movements, finances, health, and families. A number so huge it’s impossible to visualise. It includes 333 billion emails, 24 billion texts, 1.5 billion swipes on Tinder. But mostly its video, from our cameras on our phones, doorbells, and, increasingly, our cars.
Is this safe? We live in the hope that nothing goes too badly wrong, leaning on contracts and privacy laws we haven’t read or understood. We have a mass optimism bias towards reputable brands with terrific advertising, brands like Apple, Google, and, increasingly, TikTok and BYD. It’s the Pollyanna Principle on a population-wide basis.
In today’s internet, your private data can easily find its way into the hands of a foreign government, which can analyse and store it. Worse, there’s nothing you can do about it. No pathway to redress, and no way of getting your private information removed. This isn’t fear-mongering. It is a modern reality as the growing number of tiny chips in your white goods and cars start broadcasting your data back home to countries with cheap factory production and flaky data laws like China, Russia, and India.
Data transfer is supposed to be protected by a set of standard contracts signed between the one who transfers and the one who receives the data. Currently, a loophole in UK data laws allows companies to transfer our personal data to countries that lack basic data protection standards, even though they cannot promise that data is safely protected.
As a result, we routinely sign contracts and assurances that promise that our data is protected. But it routinely ends up in countries like Russia and China, where the rule of law is a distant concept, and those reassurances are worthless.
Take Yandex in Russia or TikTok in China—these global giants transfer our most intimate details across borders– your location data, your political preferences, your sexuality, your habits, health data, and family life. When that data lands in a country like Russia, you lose control. Those contracts offer little protection against a demand for access from the Kremlin or the CCP. Neither would they do much to assist a UK user whose data had been accessed under the Chinese Intelligence Security Law.
This must change. We need those promises to mean something. We need them to protect our consumers from companies that send our data to places where our data rights can be enforced. And we need confidence in this important marketplace for data to protect the investment necessary for the next generation of digital innovation.
The UK GDPR sets out seven key principles on the approach to handling personal data. Accountability is one of the most important. The accountability principle requires any company to take responsibility for what they do with users’ data and how they comply with the other principles.
The law is clear that UK citizens are entitled to expect that their data is handled in locations where their rights can be enforced, and where there is a pathway to redress if things go wrong. But this simply isn’t the case in countries like Russia, where the law is the servant of the state and where no UK user could credibly be told that redress is a possibility.
We trust companies with our most sensitive information, expecting it to be safeguarded. But these data are being sent to places where privacy and data protection weigh much less than surveillance and vaguely defined “national security.”
This must stop.
This is why I propose an amendment to the Data Protection and Digital Information Bill. It seeks to prohibit data transfer to countries unable to guarantee minimum data security requirements. Our data ought to only go to places where it is genuinely protected.
But companies are currently shuffling data abroad, leaving us vulnerable without recourse. Take TikTok, a social media platform that has faced scrutiny for its data handing practices. Despite repeatedly assuring the public and parliamentarians globally that user data will be protected, it is still being shared with ByteDance, its Chinese parent company, which is required by Chinese law to give the Government access to collected data.
Given the national security-related laws in the country, UK users will be unable to exercise their right to legal redress. It is because neither TikTok, ByteDance, nor the Chinese government will have to tell you if there is authority access to your data, they can be required to lie about it by the authorities. As such, the reliance on foreign entities to safeguard our personal information underscores the need for stronger data protection measures and international cooperation to ensure that individuals’ rights are upheld regardless of where their data resides.
This amendment seeks to solve this problem. By prohibiting data transfer to countries lacking enforceable privacy laws, the UK would herald a new era of digital accountability and safety. We would be putting power back into the hands of UK citizens, protecting their rights and privacy in an increasingly digital world. The UK would be justified in positioning itself as a pioneer in data transfer standards, setting a global benchmark many will follow.
The US went part of the way to resolve the problem. Joe Biden issued an Executive Order to prevent mass data transfers deemed to pose a national security risk. But it stops short of establishing that certain jurisdictions will never meet minimal data protection standards. That is the pioneering principle at the heart of the amendment I have laid.
Once made into law, the amendment will provide protection for all users. Our data will not be transferred to places where minimal data protection standards cannot be met. Only countries that will be able to provide us sufficient safeguards will receive our data, and we will enjoy right to legal redress in case of data misuse. UK citizens will not only be better protected, but also empowered with control over their data.
Some may argue that this amendment is unnecessary, citing the existence of the current complex data protection laws – especially the GDPR, which people love to hate. The point is that we have no choice. We either get to grips with data rights, or we give authoritarians an advantage, compromising our privacy in the process. The pace of technological development far outstrips the development of law and bureaucratic deliberation at the moment.
We are somehow naked in the eyes of online service providers who know so much about us. We cannot afford to have intimate information about us falling into the wrong hands without any means of accountability. It is time to put control back into the hands of UK citizens.
Lord Bethell was Minister for Innovation at the Department of Health and Social Care during the pandemic.
Our data use is skyrocketing. Every day our phones and other devices record 181 zettabytes of data on our movements, finances, health, and families. A number so huge it’s impossible to visualise. It includes 333 billion emails, 24 billion texts, 1.5 billion swipes on Tinder. But mostly its video, from our cameras on our phones, doorbells, and, increasingly, our cars.
Is this safe? We live in the hope that nothing goes too badly wrong, leaning on contracts and privacy laws we haven’t read or understood. We have a mass optimism bias towards reputable brands with terrific advertising, brands like Apple, Google, and, increasingly, TikTok and BYD. It’s the Pollyanna Principle on a population-wide basis.
In today’s internet, your private data can easily find its way into the hands of a foreign government, which can analyse and store it. Worse, there’s nothing you can do about it. No pathway to redress, and no way of getting your private information removed. This isn’t fear-mongering. It is a modern reality as the growing number of tiny chips in your white goods and cars start broadcasting your data back home to countries with cheap factory production and flaky data laws like China, Russia, and India.
Data transfer is supposed to be protected by a set of standard contracts signed between the one who transfers and the one who receives the data. Currently, a loophole in UK data laws allows companies to transfer our personal data to countries that lack basic data protection standards, even though they cannot promise that data is safely protected.
As a result, we routinely sign contracts and assurances that promise that our data is protected. But it routinely ends up in countries like Russia and China, where the rule of law is a distant concept, and those reassurances are worthless.
Take Yandex in Russia or TikTok in China—these global giants transfer our most intimate details across borders– your location data, your political preferences, your sexuality, your habits, health data, and family life. When that data lands in a country like Russia, you lose control. Those contracts offer little protection against a demand for access from the Kremlin or the CCP. Neither would they do much to assist a UK user whose data had been accessed under the Chinese Intelligence Security Law.
This must change. We need those promises to mean something. We need them to protect our consumers from companies that send our data to places where our data rights can be enforced. And we need confidence in this important marketplace for data to protect the investment necessary for the next generation of digital innovation.
The UK GDPR sets out seven key principles on the approach to handling personal data. Accountability is one of the most important. The accountability principle requires any company to take responsibility for what they do with users’ data and how they comply with the other principles.
The law is clear that UK citizens are entitled to expect that their data is handled in locations where their rights can be enforced, and where there is a pathway to redress if things go wrong. But this simply isn’t the case in countries like Russia, where the law is the servant of the state and where no UK user could credibly be told that redress is a possibility.
We trust companies with our most sensitive information, expecting it to be safeguarded. But these data are being sent to places where privacy and data protection weigh much less than surveillance and vaguely defined “national security.”
This must stop.
This is why I propose an amendment to the Data Protection and Digital Information Bill. It seeks to prohibit data transfer to countries unable to guarantee minimum data security requirements. Our data ought to only go to places where it is genuinely protected.
But companies are currently shuffling data abroad, leaving us vulnerable without recourse. Take TikTok, a social media platform that has faced scrutiny for its data handing practices. Despite repeatedly assuring the public and parliamentarians globally that user data will be protected, it is still being shared with ByteDance, its Chinese parent company, which is required by Chinese law to give the Government access to collected data.
Given the national security-related laws in the country, UK users will be unable to exercise their right to legal redress. It is because neither TikTok, ByteDance, nor the Chinese government will have to tell you if there is authority access to your data, they can be required to lie about it by the authorities. As such, the reliance on foreign entities to safeguard our personal information underscores the need for stronger data protection measures and international cooperation to ensure that individuals’ rights are upheld regardless of where their data resides.
This amendment seeks to solve this problem. By prohibiting data transfer to countries lacking enforceable privacy laws, the UK would herald a new era of digital accountability and safety. We would be putting power back into the hands of UK citizens, protecting their rights and privacy in an increasingly digital world. The UK would be justified in positioning itself as a pioneer in data transfer standards, setting a global benchmark many will follow.
The US went part of the way to resolve the problem. Joe Biden issued an Executive Order to prevent mass data transfers deemed to pose a national security risk. But it stops short of establishing that certain jurisdictions will never meet minimal data protection standards. That is the pioneering principle at the heart of the amendment I have laid.
Once made into law, the amendment will provide protection for all users. Our data will not be transferred to places where minimal data protection standards cannot be met. Only countries that will be able to provide us sufficient safeguards will receive our data, and we will enjoy right to legal redress in case of data misuse. UK citizens will not only be better protected, but also empowered with control over their data.
Some may argue that this amendment is unnecessary, citing the existence of the current complex data protection laws – especially the GDPR, which people love to hate. The point is that we have no choice. We either get to grips with data rights, or we give authoritarians an advantage, compromising our privacy in the process. The pace of technological development far outstrips the development of law and bureaucratic deliberation at the moment.
We are somehow naked in the eyes of online service providers who know so much about us. We cannot afford to have intimate information about us falling into the wrong hands without any means of accountability. It is time to put control back into the hands of UK citizens.