Wednesday 25th November 2020

(3 years, 12 months ago)

General Committees
Read Hansard Text
None Portrait The Chair
- Hansard -

Before we begin, I must remind Members about the social distancing rules, as we are in a very small room. I see that Chi Onwurah has done her best, by limiting the numbers on the Opposition side to make it easier. [Interruption.] I also remind Members that if they have any speaking notes, our Hansard colleagues would like them at hochansardnotes@parliament.uk.

John Whittingdale Portrait The Minister for Media and Data (Mr John Whittingdale)
- Hansard - - - Excerpts

I beg to move,

That the Cttee has considered the draft Data Protection Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020.

It is a pleasure to serve under your chairmanship this afternoon, Mr McCabe. The statutory instrument was laid before both Houses on 14 October and is made under the European Union (Withdrawal) Act 2018. The main intention is to ensure that the UK’s data protection framework will function correctly at the end of the transition period, and that there will be no data cliff edges. I want to bring to the Committee’s attention the fact that neither the Joint Committee on Statutory Instruments nor the House of Lords Secondary Legislation Scrutiny Committee has drawn either House’s attention to the SI.

Where the transition period comes to an end, the European Union’s regulation on data protection, known as GDPR, will be retained in domestic law through the European Union (Withdrawal) Act 2018. Last year the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 were made. They made minor changes to the retained GDPR under the Data Protection Act 2018, to ensure that UK data protection law would continue to operate on exit day.

The statutory instrument before the Committee today makes limited amendments to those regulations. The majority of the changes are updates of exit day references to read “IP completion day”. The SI will also revoke some EU legislation that would have no practical effect if it were to be retained under the European Union (Withdrawal) Act 2018 at the end of the transition period.

There are a small number of other changes, which relate to the transitional provisions for international transfers of personal data. At the end of the transitional period UK organisations will be able to transfer personal data outside the UK if it is covered by an adequacy regulation, an appropriate safeguard, or an exception. Currently UK organisations can freely transfer personal data to EU and European economic area member states and to non-EEA countries for which the EU Commission has made adequacy decisions.

The regulations that I have referred to continue that position on a transitional basis. For clarity, the relevant adequacy decisions are listed. The measure before the Committee updates that list to reflect recent developments, adding the EU’s adequacy decision for Japan, and removing the reference to the adequacy decision for the US privacy shield. These amendments are not substantive, and are entirely in keeping with the original intention of the main regulations—namely, to ensure the continued free flow of personal data between the UK and third countries that have already been found to meet the requisite standards for data protection.

Binding corporate rules are an internal code of conduct operating within a multinational group, which has been approved by EU data protection regulators, to enable personal data to be transferred within the global group. The main regulations preserve pre-GDPR binding corporate rules that were previously authorised by the Information Commissioner as a valid transfer mechanism after the transition period. However, a subset of pre-GDPR binding corporate rules currently relied on by organisations with data flows in the UK may have received authorisation only from EU supervisory authorities. The SI before the Committee makes provisions that will allow UK-based group members to use such rules as a valid transfer mechanism if they obtain approval from the Information Commissioner within six months of the end of the transition period.

The main regulations also provided a legal basis for the continued free flow of personal data from the UK to the EU, falling within the scope of the law enforcement directive, otherwise known as the LED. The approach adopted in the main regulations was to transitionally deem EU member states and Gibraltar as adequate.

Since the main regulations were made, the Home Office has established that Norway, Iceland, Liechtenstein and Switzerland have also transposed the law enforcement directive into their domestic law, which enables data sharing between authorities in the UK and law enforcement agencies within these countries. In order that law enforcement co-operation and data sharing can continue as it does now, following the end of the transition period, this instrument adds these EEA states and Switzerland to the list of countries that will be treated as adequate on a transitional basis.

Finally, I turn to the revocation of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. In 2019, an additional SI was made to amend the main regulations to reflect the arrangements made for personal data transferred from the UK to privacy shield companies in the US. As the CJEU has invalidated the adequacy decision, the amending regulation no longer has any practical affect and, therefore, this regulation revokes that amending regulation before it comes into force.

As I have set out, these regulations address deficiencies in our data protection regime resulting from the UK’s leaving the EU at the end of the transition period. I commend the regulations to the Committee.

--- Later in debate ---
John Whittingdale Portrait Mr Whittingdale
- Hansard - - - Excerpts

I am grateful to the hon. Lady for indicating that the Opposition do not intend to oppose the regulations and for her remarks. I am tempted to say that we should stop meeting like this, but I think we may be doing so again in further Committees.

The hon. Lady and I absolutely agree about the importance of data in fuelling economic growth and innovation. She does not like the expression “new oil” in that context, and I understand why, but I am not sure that her suggestion about people going around excreting a trail of data was much more preferable an analogy. Nevertheless, data is of increasing importance, and the Government are keen to ensure that we reap the maximum benefit from it to create an economy driven by innovation and growth, based on the free flow of data. At the same time, we absolutely recognise the importance of data protection, which is, as she said, underpinned by GDPR, a set of EU regulations.

The hon. Lady referred to the fact that we are still in negotiation with the EU Commission about adequacy. In our view, there is no reason that we should not be granted adequacy—after all, our data protection regime is one that the EU formulated—but that is a matter ultimately for the Commission to decide. Certainly, the time left before the end of the transition period is reducing and this is therefore challenging, but we are still optimistic that it can be achieved. We have indicated to business that it is sensible to put in place the mechanisms necessary to ensure that data can continue to flow from the EU to the UK should adequacy not be achieved.

I am sure the Committee would have been disappointed if the hon. Lady had not mentioned Schrems II, which we all think about a great deal. Schrems II resulted in some quite tricky decisions, not just for the UK, because we are bound by the Schrems II judgment that negated the privacy shield, but it creates equal challenges for the EU, which is something the EU is working on; the Information Commissioner’s Office is still in conversation; and we hope to find a mechanism to allow the flow of data between EU member states, the UK and the USA to continue.

The hon. Lady is right that, even if we achieve adequacy, this is an ongoing process. We would not be negotiating as hard as we are to achieve adequacy if we intended to do anything shortly afterwards that resulted in our losing it again. On the other hand, we wish to take advantage of the fact that we will be responsible for our own data protection regime, and we wish to explore ways to facilitate the flow of data between companies and to drive growth forward. That is an opportunity, since we will no longer be bound by the Court of Justice of the European Union rulings, although in terms of adequacy decisions we will need to watch developments in the EU. Should those rulings change things, there might be implications for its attitude to our adequacy.

We certainly have no intention of doing anything that results in a loss of adequacy. The national data strategy mentioned by the hon. Lady is intended to consult very widely all those who potentially have an interest in the matter—companies that use data, privacy campaigners, stakeholders and so on—to find ways in which we might improve the UK’s data regime. She referred to the Opposition’s suggestion of a digital charter. I hope she has responded to the national data strategy, as we are obviously interested in any ideas that she has.

On trade agreements, which the hon. Lady also talked about, it is true that, for instance, the UK-Japan trade agreement contains data provisions that go beyond the EU-Japan agreement, and we regard that as a considerable achievement. However, nothing in the agreement undermines the data protection regime in this country. Indeed, the agreement makes it absolutely clear that both sides are able to maintain a legal framework that provides for the protection of personal information. The trade agreement with Japan will, we hope, result in a freer flow of data between the UK and Japan, but at the same time not undermine GDPR and our existing protection.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his responses and his genuinely seeking to answer my questions, which is something of an experience for me. We have an agreement with Japan, which means data will be allowed to go to Japan. Japan has an agreement with the US, so data is allowed to go to the US. That undermines our conditions on data flowing from the UK to the US if they do not meet the European Union adequacy rules. That is what I meant by a back door.

John Whittingdale Portrait Mr Whittingdale
- Hansard - - - Excerpts

I understand the hon. Lady’s concern, but I do not think it is justified. There is nothing forcing any company to transfer data from the UK to Japan or any other third country. We seek to remove unnecessary obstacles that impede that flow, but that does not undermine the requirements on UK-based companies to comply with the existing data protection regime. Indeed, that is spelt out clearly in the agreement. We do not believe that that is a risk, but it is something we continue to attach priority to, and we will keep it in mind for the future trade agreements that we are hopeful of striking.

I hope I am answering the points that the hon. Lady made. The point she made at the end of her remarks was about the obligations on the tech platforms, and she talked about disinformation and fake news. As she will be aware, the Secretary of State had a recent roundtable specifically to talk about the efforts made by the tech platforms to address the problem of disinformation about a potential covid vaccine. She will also know that the issue of obligations on tech platforms will be addressed through the online harms legislation that we still expect in the near future.

I hope I have answered the hon. Lady’s questions and I commend the regulations to the Committee.

Question put and agreed to.