Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 Debate
Full Debate: Read Full DebateBaroness Ludford
Main Page: Baroness Ludford (Liberal Democrat - Life peer)Department Debates - View all Baroness Ludford's debates with the Department for Digital, Culture, Media & Sport
(5 years, 8 months ago)
Lords ChamberMy Lords, I was planning a peroration, but I think I will leave it at that.
My Lords, first I have a couple of housekeeping questions which I hope are not too banal. I find considerable difficulty using the legislation.gov.uk website and its search function. Will the Minister ask his civil servants to check it out? Even if you search for “data protection 2019” under UK SIs, both the previous one and this are difficult to find. There was a 19 December version of these regulations, which were replaced in January. I must admit that I have not pored over every line of both to find the differences. Will the Minister explain why that was necessary?
Secondly, I want to ask about the absence of an impact assessment. Paragraph 12 of the Explanatory Memorandum states that:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”.
The pretext is that, while the Government recognise that:
“Data flows from the EEA to the UK may be restricted post-exit”—
because, if there is no deal, we will be plunged into a situation where there is no legal framework and no adequacy decision—
“that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
That is the justification for having no impact assessment. However, if we left with a withdrawal deal and a transition there would be a legal framework, so this instrument, which provides for both a no-deal scenario and one in which there would be no adequacy decision, surely merits an impact assessment as well as the consultation to which the noble Lord, Lord Adonis, referred.
As the ICO has made clear, and as has been mentioned already, businesses may have to deal both with the ICO and with European data protection authorities in every EU and EEA state where they have customers. They may need a European representative if they process the data of people resident in the EEA or have customers in the EEA. There would be additional complexity if they had to comply with both the GDPR and the UK GDPR. They could face concurrent legal claims in both the UK and the EEA. Will the Minister amplify the justification for having no impact assessment? Data flows are crucial to many businesses, not just the tech industry—there is hardly a business or other organisation that they do not affect—so the rather blasé claim that no impact assessment is needed is not justified.
I am a bit confused—it may just be my lack of understanding—about the situation regarding EU adequacy decisions on third countries. Paragraph 2.8 of the Explanatory Memorandum says there will be,
“incorporated into UK domestic law … EU decisions on the adequacy of third countries and on standard contractual clauses, both of which are relevant for … international transfers”.
Paragraph 2.13 says:
“It will not be necessary to retain the EU decisions on adequacy and standard contractual clauses … so these are revoked by this instrument”.
If I have understood the Minister’s presentation, this is explained by the fact that we are recognising and incorporating past EU adequacy decisions, but that in the future, in a no-deal scenario, the UK will take over that function: I venture to suggest that that is not very clearly explained in the Explanatory Memorandum.
Would it help if I just said that the noble Baroness is absolutely right in her interpretation?
I do not often get that response from Ministers, so that is very gratifying.
Also, a second version of these regulations was published at the end of last week—I think the Minister referred to it—which is specifically about privacy shields in the US. I am rather surprised that we will have two separate considerations: why could they not have been incorporated into this debate? As the ICO pointed out in a notice a while ago, US companies will need to update their privacy shield commitments to state that they apply to transfers of personal data from the UK. That is a big deal for many companies. It is another reason for what I said about the need for an impact assessment. If that does not happen, a lot of companies will be in serious difficulty.
Will the Minister tell us what advice the Government are giving businesses on using standard contractual clauses or binding corporate rules in the absence of an adequacy decision? The European Data Protection Board issued a notice about this last week, on 12 February. Are the Government going to advise businesses, large and small, exactly how this will work? Lastly, what progress is being made on an adequacy decision? The Minister will know from discussions during the passage of the EU withdrawal Act and the Data Protection Act that many of us are worried about this issue. Last summer, the Government expressed their aspiration for a legally binding agreement that would be more than a unilateral adequacy decision and which would enable the ICO to have a seat on the European Data Protection Board. Essentially, it would be Brexit in name only and would retain all the benefits of being in the EU with regard to data protection structures. That aspiration is not recognised in the political declaration, which talks only about an adequacy decision, so the UK has been knocked back in that area. Perhaps the Minister could tell us precisely where we are. What signal is he getting from the Commission on an adequacy decision? Are we talking months or years?
The noble Lord is right, but I do not think that that day is far off; I think it will come soon. Let us be clear: we are not talking about a natural disaster. As a Minister, I often had to deal with those. When there are ash clouds and volcanoes erupt, you have to take very difficult and extreme decisions at short notice. Here we are talking about an act which the Government are inflicting on the country, with no external agency whatever. Not only that, but the Government could this afternoon terminate the situation we are faced with, in respect of these no-deal regulations, by the Prime Minister announcing that she is not proceeding with no deal and that she will, on behalf of the United Kingdom, submit a request to extend Article 50—or, as we now know she can do from the judgments of the European court, rescind it unilaterally. This will be a big matter for the public inquiry that the noble Lord, Lord McNally, is referring to. All the consequences of this no-deal situation are caused by the Government, and the remedy for them is entirely at the disposal of the Government. It is our absolute duty to point this out all the way through this process, so that at least some of us in the parliamentary system can point to the fact that we did our level best not to take the nation to the edge of the cliff where we are now at.
Coming back to this instrument, it is totally unacceptable that we are dealing with such an important set of regulations relating to the fundamental issue of data and data protection and there has been neither an impact assessment nor any public consultation.
My Lords, I asked the Minister about the state of play on an adequacy decision. I am told that the Minister in the other place, Margot James, confirmed a few weeks ago not only that those discussions can start—at least formally—only after the UK leaves the EU, but that they would take two years; that was her estimate. So that multiplies the gravity of having no impact assessment; if we crash out without a deal, we will have a legal void for a long time.
The noble Baroness raises a very important question, to which the Minister should respond: how long will it take to consider this? Noble Lords who woke up to the “Today” programme this morning will have been astonished to find that Dr Liam Fox and the Foreign Secretary had written to the Japanese Prime Minister telling him to get a move on in signing a trade deal with Britain—as if we, because we are putting ourselves in a position of great jeopardy and undermining existing international agreements in five weeks, can now start instructing foreign Governments on the timescales in which they should conduct international negotiations. This is utterly humiliating to us as a country. It is a fundamental breach of the proper conduct of public affairs. What the noble Baroness said about it taking another two years even to get the basis of data adequacy agreements with the EU, because of our act of withdrawing from the European Union, simply underlines the point.
My Lords, I took the advice of the noble Lord, Lord McNally, that it would not be easy—and he has proved to be right. It is reasonable to take on board the frustrations that some of these SIs have caused—in my view, not so much because of the process which is gone through but the fact that some noble Lords do not want to leave the EU and are highlighting the effects. What they are highlighting may well be the case, but when we are trying to pass an SI such as this one we need to concentrate on its effect and—that did not take long.
I am sorry but the Minister must accept this. It is absolutely true—I speak for myself and my Benches—that we would prefer to remain in the EU, but that is not the point about an impact assessment. There is a difference between crashing out with no deal and a transitional period when EU law would continue to be applicable and we would not need all these arrangements. That is what an impact assessment would have to assess. This is about a no deal crash-out and it is perfectly valid to distinguish that from an advocacy of remain.
I agree. That is why the Government are making all efforts to secure a deal. We agree that a deal is the best situation for the country. We are at one with that.
In answer to the noble Baroness, I will start with something which is my responsibility—the legislation.gov.uk website provided by the National Archives. I will take up the matter with it. I am told that it may be helpful to search for “draft statutory instruments” rather than “statutory instruments”. I certainly listened to what she said about the website not working and will check what we need to do.
The noble Baroness, the noble Lord, Lord Adonis, and others talked about the impact assessment and asked why it has not been published. The impact of this instrument, not the impact of leaving the EU, was assessed in line with standard practice following the existing Better Regulation framework. It is focused on the direct impact of the relevant SI compared with the current legislation. The whole point of this SI is to maintain an equivalent regulatory framework to protect personal data. The noble Lord, Lord Adonis, quite rightly pointed out that it affects not only UK businesses but mostly EU and EEA businesses, which will have to have representatives in this country, and I will come to that. It is a reciprocal arrangement. If these regulations come into force and we have a UK GDPR, the same necessity for representatives will take place both ways, and I will come to that.
The analysis, to the best of the Government’s ability, of the wider impact of the UK’s exit from the EU was published in the Long-term Economic Analysis in November last year. The noble Lord, Lord Adonis, talked about representatives and Article 27. He is correct that data controllers who offer goods and services to or monitor the behaviour of data subjects in the UK will need to appoint a representative in the UK, but that is a cost to non-UK businesses, which is what the impact assessment is meant to address. He is also correct that there will be organisations in the UK that will be required as a matter of EU law to appoint a representative in the EEA. The ICO provides data controllers with advice on this obligation and will continue to do so. If controllers and processors based abroad are routinely processing data, it is right that they should be accountable in the UK and have a presence here because this is about maintaining the status quo as far as possible, not about rolling back protections for individuals, so the representative is a point of contact for the data subject as well as the supervisory authorities, such as the Information Commissioner.
I want to get some clarity on this and perhaps the Minister will be able to help me. He is quite clear that, for a wide variety of companies, there will need to be one representative in the UK and, he seems to imply, one representative in the EEA. Is that correct, or does there need to be one in each country within the EEA—or does the individual in the EEA have to deal with different regimes because of the different local regulators and because it is representing a third country in its work? I am trying to work out how great the burden that he has indicated will be, even though he does not think that it will be part of the impact.
Before the Minister answers, I would like to press again this idea that an impact assessment is not needed since the impact comes from leaving. I say no to that; it depends how you leave. The Minister and I may differ on the desirability of the Prime Minister’s deal, whatever that is going to be, but there is a difference between crashing out and having a transition with a political declaration which may avoid the need for duplication; we do not know what the data protection provisions will be in the future relationships. We all hope that there will be a strong degree of mutual recognition, but the immediate impact of crashing out with no deal—with a void where any adequacy decision or future reciprocal relationship between regulators would otherwise be—is quite different. First, it is different from having a standstill transition and, secondly, it is different from having the prospect, or at least the hope, of a long-term relationship that preserves something of the single market. We need the impact assessment to assess the difference between those two scenarios; that is what the Minister does not seem to grasp.
I agree with the noble Baroness that, if we leave with a deal, that is a different scenario from leaving with no deal. That seems an obvious fact and it is why the Government are trying to leave with a deal, which is what the Prime Minister is trying to achieve. This is a no-deal exit SI to prepare for that eventuality. If we leave with no deal, the object of the exercise will be to preserve the GDPR standard of data protection, which this SI will do. To return to the point raised by the noble Lord, Lord Adonis—sorry, it might have been raised by the noble Baroness, Lady Kramer—the requirement to appoint one representative in the EEA is, as I said, a result of EU law.
I say again to the noble Lord, Lord Adonis, regarding the impact on business of Article 27, that we think that if controllers based abroad are routinely processing the data of people in the UK then it is right that they should be accountable and have a presence in the UK, because it is about trying to maintain the status quo as far as possible for individuals and not rolling back their data protection. The representative is a point of contact for the data subject as well as supervisory authorities such as the Information Commissioner.
I turn to the points made by the noble Lord, Lord McNally, about the complexity for organisations potentially subject to dual regulation. The point of this instrument was to ensure the minimum disruption to organisations and to data subjects by trying to retain the effect of the data protection legislation where possible. The relationship is absolutely changing but the instrument ensures that we can co-operate on an international level with not only the EU supervisory authorities but those in other countries; that is why we have kept Article 50 of the GDPR. Where he is right, and I accept that he is right in this, is that if we move away from the GDPR—if the UK GDPR moves away from the EU GDPR—that will have consequences for the adequacy decision that we hope to achieve, which will be reviewed by the EU Commission. It is important that the EU has confidence that our data protection regime is “essentially equivalent”, which is what the adequacy decision is based on. Anything that we do in future will have to bear in mind that our data regime is essentially equivalent so that it gives the EU confidence.
I agree with the noble Baroness, Lady Ludford, that in previous times there were elements that were outside EU competence that it could not look at, but now of course in an adequacy decision it will be able to look at those. Again, as it does in other adequacy decisions, it will look at the overall adequacy requirement and say whether or not it is essentially equivalent. That is why the adequacy decision is not immediate. Where we start in a good place compared to other regimes is that we have started with an equivalent regime to the extent that we have enacted the GDPR, which other third countries have not. We start on a level playing field in that respect.
The noble Baroness talked about the US privacy shield and the reason why we are going to lay another set of regulations. The discussions on the US privacy shield were ongoing when this SI was laid and therefore we could not wait. It was our priority to lay this SI so that we had an ongoing regime in the event of no deal. Now that that has been agreed between us and the US, though, another SI will be laid—it may even have been laid—to ensure that the US requirements continue, and I think that will happen very soon.
The noble Baroness asked about the EDPB’s recently published guidance on the implications of the UK’s exit. That guidance confirmed that, if the EU Commission does not make an adequacy decision in respect of the UK, EU firms will need to put in place alternative transfer mechanisms, such as standard contractual clauses to continue to transfer personal data to the UK.
The noble Baroness suggested that the political declaration only covered adequacy. That is not right: paragraph 9 addresses the free flow of data while paragraph 10 addresses regulatory co-operation.
The noble Lord, Lord Adonis, and the noble Baroness, Lady Ludford, talked about consultation. The difference between this SI and many others is that the Data Protection Act came into force less than a year ago; it was enacted after extensive discussions in this House and the other place, after the referendum discussion had taken place. Those noble Lords who participated in the Data Protection Act discussions, which lasted for many weeks, all know that matters such as data adequacy were raised numerous times. The whole purpose of the Act, and the mixture between regulations and derogations from regulations, was that we would be on as level a playing field as we could be when it came to getting an adequacy decision.
I withdraw the word “farce”. However, while the Minister is putting great emphasis on the good fit between what he is proposing and the GDPR, the reason why that good fit exists, as I said in my remarks, is that the GDPR itself was massively influenced by British officials, who played a major role in its construction. What he is gliding over in his assurances is that if, as is likely, there are changes in the European GDPR in future then we will be coming, like the Norwegians, only to listen and accept—because, make no mistake, if there are changes in future, it will be massively in Britain’s interest to accept them. This is the loss of sovereignty that the whole process is trying to glide over. We will not have the same influence on data protection in future as we have had in the GDPR itself, which is why the fit is so comfortable at the moment.
Forgive me, but I would like to follow up on that. I really think the Minister is overselling what is in paragraph 9 of the political declaration. Last June, the Government issued a technical note about wanting a legally binding data protection agreement, and I described that earlier as a “Brexit in name only” kind of arrangement. They wanted that because there are,
“benefits that a standard Adequacy Decision cannot provide”.
Except for one sentence in paragraph 10 that talks about arrangements for appropriate co-operation between regulators, paragraph 9 is about a standard adequacy decision—no less but certainly no more. It talks about the European Commission recognising,
“a third country’s data protection standards as providing an adequate level of protection”.
It is not what the Government hoped for last June. I do not understand why the Government are trying to pretend. We can all read paragraph 9 once we have googled it and reminded ourselves, so to say that it is more than an adequacy assessment process is simply not true.
I understand the point from the noble Lord, Lord McNally, that our new position will not be the same as being in the EU. If we were a third country, I would expect us to have less influence than if we were a member of the EU. I am not denying that; it seems obvious. He is absolutely right that the GDPR was influenced by the UK, not only by officials in the negotiations but specifically by the ICO, which is regarded as one of the leading regulators in Europe. Of course, it will not have the same position as it did if we are not in the EU; I take that point.
However, I do not base everything on just the political declaration, which may or may not have some influence. It is also that we have retained Article 50 of the GDPR. I cannot remember the exact words, but it is on the basis of that that the EU talks about international co-operation with third countries, so there is a mechanism. As I said to the noble Lord, Lord McNally, it will not be the same, but there are bases for international co-operation. The EU wants that to happen and understands that in things such as data protection, you have to have an international consensus. In fact, on that, it is more important to go beyond the EU and do it internationally. Other organisations should—and do—take views on this. I think we are at the start of the journey on control of cross-border data flows and it will provide a further basis to influence behaviour.
On adequacy, it is easy to ask for detailed timelines on when this will take place. It will not take place on exit day, because it is not possible for the EU to give an adequacy decision unless you are a third country. Preliminary discussions—which, as the noble Baroness, Lady Ludford, has indicated, may take some time—could begin now and we are ready to begin those discussions as soon as we can. We are already liaising with the European Commission—in fact, senior officials were in Brussels for talks last week—and we have liaised with member states on this subject. When the EU is ready to begin discussions, we are confident that we will be ready, but it is impossible to say how long that will take because, as the noble Baroness said, it is not a decision that is in our gift.
However, we start from a position of regulatory alignment on data protection. We implemented the GDPR and the law enforcement directive. We have also taken a GDPR approach on data protection to areas that were outside EU competence, such as law enforcement and national security, so we start in a very good position. In fact, it is such a good position that the UN special rapporteur on the right to privacy declared that the UK now co-leads in Europe and globally on privacy safeguards, and has made significant improvements in its oversight system since 2015. He said that,
“the UK has now equipped itself with a legal framework and significant resources designed to protect privacy without compromising security”.
It is important to note that there is a strong mutual interest in data adequacy.
The noble Lord, Lord Adonis, said that it is unsafe to pass this SI. I would like to point out what that would mean, if it is not passed and we have a no-deal exit. It would mean that we would cease to have properly functioning data protection law. The whole basis for adequacy decisions, which I think we all agree is very important, would go, because we would not be on a reciprocal basis—
There are mitigations which prevent that—standard contractual clauses and binding corporate rules. Plus, it depends a lot on the proportionate approach that the regulators in the EU take. There would be an impact; we would have to arrange mitigations, which would be a cost to business. That is what has been set out in the technical notice to business.
The Minister is making a very good case for why there should have been an impact assessment.
I am making a very good case for why we want a deal. As I have said several times, we want a deal.
I think I have been through most of the questions raised by noble Lords. The important thing about this statutory instrument is to have a fully functioning data protection regime. If we go back to the original reasons why we passed the Data Protection 2018 with a fair bit—a lot, I would say—of cross-party support, the reason that it is important is to give individuals protection for their personal data. We must bear that in mind. These regulations will preserve that protection for individuals and set us on the road to a successful conclusion of our adequacy agreement when we get to the stage where the EU will allow us to negotiate it. That is why I beg to move.