Thursday 14th February 2019

(5 years, 10 months ago)

General Committees
Read Hansard Text
Margot James Portrait The Minister for Digital and the Creative Industries (Margot James)
- Hansard - - - Excerpts

I beg to move,

That the Committee has considered the draft Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019.

It is a pleasure to serve under your chairmanship, Mr Evans. Much of our current data protection framework derives from EU measures—namely the General Data Protection Regulation and the law enforcement directive—over which our Information Commissioner’s Office and UK civil servants have had considerable influence.

When the UK leaves the EU, the GDPR will no longer have direct effect on our law. It will however be retained in domestic law through the European Union (Withdrawal) Act 2018. A number of deficiencies will arise in this as a result of our leaving the Union. The purpose of the draft instrument is to ensure that UK data protection law continues to be operable after exit, and that the protections for data subjects and the obligations on data controllers and processors remain in place after we have left the European Union.

Lord Spellar Portrait John Spellar (Warley) (Lab)
- Hansard - - - Excerpts

Does the Minister envisage the Government and, indeed, Parliament taking the opportunity to deal with some of the ludicrous interpretations of GDPR legislation, which lead to massive amounts of bureaucracy in both the public and private sectors?

Margot James Portrait Margot James
- Hansard - - - Excerpts

The right hon. Gentleman makes a valid point. I do not think that it pertains to this particular statutory instrument, but I am sure that if he requested a debate on those important matters, he would find a ready audience of hon. Members to participate in it.

Many of the changes made to the GDPR by the draft regulations are minor or technical, and replace European Union-related terminology with UK equivalents. In my remarks, I will cover a number of more complex issues relating to international transfers of personal data, extraterritorial application of the UK GDPR, regulatory co-operation, and our approach to what is known as “applied GDPR”.

On international transfers, the GDPR and part 3 of the Data Protection Act 2018 restrict the transfer of personal data to third countries, unless certain safeguards are met. One of those safeguards is a third country, or a sector within the country, being deemed “adequate” by the European Commission. If deemed “adequate”, data can flow freely to that country or sector. In the absence of an adequacy decision, data can still be transferred, but the onus is on controllers to make sure that alternative safeguards are in place to provide sufficient levels of protection.

The Commission will not be able to make adequacy decisions on behalf of the UK post exit. The regulations transfer that function and the function of preparing model contractual clauses to the Secretary of State. To minimise any disruption to established data flows from the UK to the EU post exit, the regulations add a number of transitional provisions to the 2018 Act. That includes a provision to continue to treat EU member states, other European economic area countries and Gibraltar as adequate in relation to processing under the UK GDPR.

Similar provision is made for personal data transferred to third countries for law enforcement purposes under part 3 of the Data Protection Act 2018. That permits transfers to third countries where the European Commission has found a country, territory or sector adequate under article 36 of the law enforcement directive. For law enforcement processing covered by part 3 of the 2018 Act, EU member states and Gibraltar will be treated as adequate to preserve the flow of critical law enforcement data to those places.

The provisions included in the regulations will allow UK businesses to continue to transfer data to their partners in the EU without any interruption. We propose to adopt a similar approach for countries that had been deemed adequate by the EU Commission by the time the draft regulations were laid before Parliament. That includes the EU’s decision on companies participating in the Privacy Shield scheme in the United States. Further regulations will shortly be introduced to clarify that personal data can be transferred only to those US companies that have updated their Privacy Shield commitment to include the UK.

The draft regulations do not refer specifically to the EU’s adequacy decision in relation to Japan, which was made after they were laid before Parliament, but we will work with the Japanese Government to consider what, if anything, is required in our domestic law to reflect that development. Where UK organisations rely on standard contractual clauses approved by the EU Commission as an adequate safeguard for transfers to other third countries, further transitional provisions will mean that they can continue to rely on those contracts.

Let me outline the draft regulations’ approach to the extraterritorial provisions in the GDPR. The GDPR applies not only to data controllers based in the EEA, but to data controllers based outside the EEA processing EEA data for the purpose of providing goods and services or monitoring individuals’ behaviour. Where a data controller outside the EEA is systematically processing data of EEA residents, it is required to appoint a representative in the EEA to act as a contact point for EEA supervisory authorities. To ensure that there will be no dilution in data protection standards when the UK leaves the EU, the draft regulations preserve the GDPR’s extraterritorial approach. In practice, that means that the UK GDPR will apply to certain data controllers based outside the UK that are processing data or monitoring the behaviour of data subjects in the UK. We have preserved article 27, which requires data controllers and processors based abroad who are systematically processing the data of people in the UK to appoint a representative in the UK.

Let me turn to regulatory co-operation. Articles 60 to 76 of the GDPR focus on how supervisory authorities in the EEA will work together to investigate data breaches that might affect people in more than one country. They also make provision about the supervisory authorities sharing guidance and best practice through the European Data Protection Board. If the UK leaves the EU without a deal, there will be no automatic right for the Information Commissioner to sit on the EDPB or participate in the GDPR’s one-stop-shop mechanism, so those provisions have been omitted from the UK GDPR. Even with a deal, the automatic right for the Information Commissioner’s Office to sit on the EDPB is not yet assured.

The draft political declaration makes it clear that the EU and the UK should continue to collaborate on data after we leave the EU. The draft regulations will retain article 50 of the GDPR in our law, ensuring that EU and UK data protection authorities will have a common basis for developing international co-operation mechanisms.

I will now outline what our exit from the EU might mean for “applied GDPR”, as provided for by the Data Protection Act. The Act creates a separate regime that provides for standards broadly equivalent to the GDPR to apply to processing activities that are outside the scope of EU law and not covered by parts 3 or 4 of the Act. As a matter of domestic law, the GDPR will not apply directly to any general processing activities when we leave the EU, so we can simplify matters by recreating a single regime for all general processing activities, including those that were previously covered by the applied GDPR. Provisions in the Data Protection Act that created or referred to the applied GDPR have therefore been removed from all relevant legislation. The draft regulations make it clear that the new single regime covers matters outside the scope of EU competence prior to the UK’s departure from the EU. The existing exemptions relating to national security and defence in the applied GDPR will be retained in the merged regime to ensure that the intelligence community can continue to carry out its vital work.

As I have set out, our approach is an appropriate way of addressing the deficiencies in data protection law resulting from the UK leaving the EU. I commend the draft regulations to the Committee.

--- Later in debate ---
Margot James Portrait Margot James
- Hansard - - - Excerpts

I thank hon. Members for their questions and comments. I will do my best to respond to them. I agree with the shadow Minister that the draft regulations are a wise precaution. He rightly mentioned that three quarters of our country’s international data flows are with other European Union member states. That is of course even more than the average for exports of other things, notably manufactured goods, which are almost 50% of our global trade.

I do not know whether the shadow Minister is concerned that, by locking into the GDPR, we will jeopardise our ability to strike trade deals with other countries. In previous debates, I have assured him that it is the Government’s intention that we continue to enjoy the benefits of the privacy and data rights that the GDPR has given British nationals, and we would not want to see those rights compromised by any trade deal in the future. The GDPR is becoming a gold standard for privacy and data rights globally—it is causing rising envy, certainly in the US.

The shadow Minister mentioned the age of consent, which is set at 13 in the Data Protection Act. That relates to the rights of young people to open accounts online. We have not reduced that age; we have set it. We set it within the band that the GDPR permits member states to set it. We were not alone in choosing 13; at least five other member states also set the age of digital consent at 13. He raised concerns, which I share, about some of the risks to young people online. We intend to address those through the White Paper we will publish shortly. I thank him and his team for the suggestions they have made to us over the past six months about what that White Paper should contain.

The shadow Minister asked about adequacy. He knows that we cannot guarantee adequacy, because it is in the EU’s gift rather than ours, but we have made it clear to the EU that we are ready to commence adequacy discussions just as soon as it is ready. We have had an indication from the Commission that, as long as we leave with a deal, it will be ready to start those discussions immediately. Given that we will be fully compliant at the moment of departure, it is highly likely that we will be able to conclude those discussions at the shorter end of the spectrum of times that adequacy discussions with third countries have taken in the past.

The shadow Minister asked about the contingencies we are making in the event of no deal. The ICO and officials in my Department have been working closely together, and the ICO has published approaches for both the public sector and industry in terms of the reach of the standard contractual clauses that will form a legal basis for transferring data in the event that we do not have an adequacy decision. Of course, if we left without a deal, we would not have an adequacy decision.

The hon. Member for Central Ayrshire asked whether EU citizens in her constituency and elsewhere in Scotland will continue to enjoy the same data rights and privacy. I can assure her that they will. They will have those rights as long as we leave with a deal. EU citizens’ rights are enshrined in the deal, and they will enjoy exactly the same provisions as citizens of this country, assuming we get that deal and implement these regulations. The regulations will preserve the GDPR’s extraterritorial approach in UK law.

Philippa Whitford Portrait Dr Whitford
- Hansard - - - Excerpts

Will the Minister therefore clarify—I understand that she might not be able to do so at this moment—why there is no reference to GDPR protection in the small print of the settled status scheme, other than a bald statement that people’s data can be shared pretty much with anybody?

--- Later in debate ---
Margot James Portrait Margot James
- Hansard - - - Excerpts

I will write to the hon. Lady with any clarification I can provide to give her the comfort she seeks. I do not have that precise information to hand, and I was not aware of the issue, but of course I will write to her.

Both the hon. Lady and the shadow Minister raised the issue of resources. We took a statutory instrument through last year that provided the ICO with a substantial increase in its budget and its ability to hire people, including experts. The ICO has added considerably to its staff over the past 12 months, and we will ensure that it continues to have the resources it needs to provide the invaluable service that it has a remit to provide. I assure all hon. Members of that important fact.

I note the remarks of my hon. Friend the Member for Wycombe. I remain hopeful, as he says he does, that we will get a deal that continues to protect the data rights of people in this country and a great deal more besides. I commend the draft regulations to the Committee.

Question put and agreed to.