(5 years, 9 months ago)
Lords ChamberMy Lords, I just want to add to what my noble friend Lord McNally has said. I am glad that this matter is being cleared up, because we had very confusing advice a few months ago. I also want to note, as one of the people who was involved in the European Parliament’s proceedings on the GDPR, that it is a UK decision to impose a fee on data controllers. The mandatory requirement was removed from the GDPR, and it is a unilateral UK decision to fund the ICO in this way so that, in effect, data controllers in the UK will not feel the change which perhaps will be felt by data controllers in other EEA states, where Governments make a decision to fund their data protection authorities from, for instance, general taxation. I realise that that decision was made in the Digital Economy Act rather than in last year’s Data Protection Act, but it is imposed not by Brussels but by Whitehall and Westminster.
My Lords, these amendments represent a little island of calm in a turbulent ocean. For once, I am referring not to Brexit or the backstop but, rather, to the fact that we are in the middle of some very turbulent changes in our regimes for the protection of data and privacy and many other aspects of communication. This morning, we saw the publication of the report of the Digital, Culture, Media and Sport Committee of the other place on disinformation and “fake news”. In so far as I have got into the report—which is not very far—it is very welcome in that it represents a much broader view of the threats to democracy from the present regime for controlling the use of data. There is much more to be said, and I hope that the Minister will be able to say something about the ways in which the broader picture will be taken into account. These amendments do not need changing because of the broader picture, but it is curious to fiddle with the small stuff when such major and serious issues are happening in this domain.
(5 years, 9 months ago)
Lords ChamberMy Lords, I was planning a peroration, but I think I will leave it at that.
My Lords, first I have a couple of housekeeping questions which I hope are not too banal. I find considerable difficulty using the legislation.gov.uk website and its search function. Will the Minister ask his civil servants to check it out? Even if you search for “data protection 2019” under UK SIs, both the previous one and this are difficult to find. There was a 19 December version of these regulations, which were replaced in January. I must admit that I have not pored over every line of both to find the differences. Will the Minister explain why that was necessary?
Secondly, I want to ask about the absence of an impact assessment. Paragraph 12 of the Explanatory Memorandum states that:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”.
The pretext is that, while the Government recognise that:
“Data flows from the EEA to the UK may be restricted post-exit”—
because, if there is no deal, we will be plunged into a situation where there is no legal framework and no adequacy decision—
“that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
That is the justification for having no impact assessment. However, if we left with a withdrawal deal and a transition there would be a legal framework, so this instrument, which provides for both a no-deal scenario and one in which there would be no adequacy decision, surely merits an impact assessment as well as the consultation to which the noble Lord, Lord Adonis, referred.
As the ICO has made clear, and as has been mentioned already, businesses may have to deal both with the ICO and with European data protection authorities in every EU and EEA state where they have customers. They may need a European representative if they process the data of people resident in the EEA or have customers in the EEA. There would be additional complexity if they had to comply with both the GDPR and the UK GDPR. They could face concurrent legal claims in both the UK and the EEA. Will the Minister amplify the justification for having no impact assessment? Data flows are crucial to many businesses, not just the tech industry—there is hardly a business or other organisation that they do not affect—so the rather blasé claim that no impact assessment is needed is not justified.
I am a bit confused—it may just be my lack of understanding—about the situation regarding EU adequacy decisions on third countries. Paragraph 2.8 of the Explanatory Memorandum says there will be,
“incorporated into UK domestic law … EU decisions on the adequacy of third countries and on standard contractual clauses, both of which are relevant for … international transfers”.
Paragraph 2.13 says:
“It will not be necessary to retain the EU decisions on adequacy and standard contractual clauses … so these are revoked by this instrument”.
If I have understood the Minister’s presentation, this is explained by the fact that we are recognising and incorporating past EU adequacy decisions, but that in the future, in a no-deal scenario, the UK will take over that function: I venture to suggest that that is not very clearly explained in the Explanatory Memorandum.
Would it help if I just said that the noble Baroness is absolutely right in her interpretation?
I do not often get that response from Ministers, so that is very gratifying.
Also, a second version of these regulations was published at the end of last week—I think the Minister referred to it—which is specifically about privacy shields in the US. I am rather surprised that we will have two separate considerations: why could they not have been incorporated into this debate? As the ICO pointed out in a notice a while ago, US companies will need to update their privacy shield commitments to state that they apply to transfers of personal data from the UK. That is a big deal for many companies. It is another reason for what I said about the need for an impact assessment. If that does not happen, a lot of companies will be in serious difficulty.
Will the Minister tell us what advice the Government are giving businesses on using standard contractual clauses or binding corporate rules in the absence of an adequacy decision? The European Data Protection Board issued a notice about this last week, on 12 February. Are the Government going to advise businesses, large and small, exactly how this will work? Lastly, what progress is being made on an adequacy decision? The Minister will know from discussions during the passage of the EU withdrawal Act and the Data Protection Act that many of us are worried about this issue. Last summer, the Government expressed their aspiration for a legally binding agreement that would be more than a unilateral adequacy decision and which would enable the ICO to have a seat on the European Data Protection Board. Essentially, it would be Brexit in name only and would retain all the benefits of being in the EU with regard to data protection structures. That aspiration is not recognised in the political declaration, which talks only about an adequacy decision, so the UK has been knocked back in that area. Perhaps the Minister could tell us precisely where we are. What signal is he getting from the Commission on an adequacy decision? Are we talking months or years?
The noble Lord is right, but I do not think that that day is far off; I think it will come soon. Let us be clear: we are not talking about a natural disaster. As a Minister, I often had to deal with those. When there are ash clouds and volcanoes erupt, you have to take very difficult and extreme decisions at short notice. Here we are talking about an act which the Government are inflicting on the country, with no external agency whatever. Not only that, but the Government could this afternoon terminate the situation we are faced with, in respect of these no-deal regulations, by the Prime Minister announcing that she is not proceeding with no deal and that she will, on behalf of the United Kingdom, submit a request to extend Article 50—or, as we now know she can do from the judgments of the European court, rescind it unilaterally. This will be a big matter for the public inquiry that the noble Lord, Lord McNally, is referring to. All the consequences of this no-deal situation are caused by the Government, and the remedy for them is entirely at the disposal of the Government. It is our absolute duty to point this out all the way through this process, so that at least some of us in the parliamentary system can point to the fact that we did our level best not to take the nation to the edge of the cliff where we are now at.
Coming back to this instrument, it is totally unacceptable that we are dealing with such an important set of regulations relating to the fundamental issue of data and data protection and there has been neither an impact assessment nor any public consultation.
My Lords, I asked the Minister about the state of play on an adequacy decision. I am told that the Minister in the other place, Margot James, confirmed a few weeks ago not only that those discussions can start—at least formally—only after the UK leaves the EU, but that they would take two years; that was her estimate. So that multiplies the gravity of having no impact assessment; if we crash out without a deal, we will have a legal void for a long time.
The noble Baroness raises a very important question, to which the Minister should respond: how long will it take to consider this? Noble Lords who woke up to the “Today” programme this morning will have been astonished to find that Dr Liam Fox and the Foreign Secretary had written to the Japanese Prime Minister telling him to get a move on in signing a trade deal with Britain—as if we, because we are putting ourselves in a position of great jeopardy and undermining existing international agreements in five weeks, can now start instructing foreign Governments on the timescales in which they should conduct international negotiations. This is utterly humiliating to us as a country. It is a fundamental breach of the proper conduct of public affairs. What the noble Baroness said about it taking another two years even to get the basis of data adequacy agreements with the EU, because of our act of withdrawing from the European Union, simply underlines the point.
My Lords, I took the advice of the noble Lord, Lord McNally, that it would not be easy—and he has proved to be right. It is reasonable to take on board the frustrations that some of these SIs have caused—in my view, not so much because of the process which is gone through but the fact that some noble Lords do not want to leave the EU and are highlighting the effects. What they are highlighting may well be the case, but when we are trying to pass an SI such as this one we need to concentrate on its effect and—that did not take long.
I am sorry but the Minister must accept this. It is absolutely true—I speak for myself and my Benches—that we would prefer to remain in the EU, but that is not the point about an impact assessment. There is a difference between crashing out with no deal and a transitional period when EU law would continue to be applicable and we would not need all these arrangements. That is what an impact assessment would have to assess. This is about a no deal crash-out and it is perfectly valid to distinguish that from an advocacy of remain.
I agree. That is why the Government are making all efforts to secure a deal. We agree that a deal is the best situation for the country. We are at one with that.
In answer to the noble Baroness, I will start with something which is my responsibility—the legislation.gov.uk website provided by the National Archives. I will take up the matter with it. I am told that it may be helpful to search for “draft statutory instruments” rather than “statutory instruments”. I certainly listened to what she said about the website not working and will check what we need to do.
The noble Baroness, the noble Lord, Lord Adonis, and others talked about the impact assessment and asked why it has not been published. The impact of this instrument, not the impact of leaving the EU, was assessed in line with standard practice following the existing Better Regulation framework. It is focused on the direct impact of the relevant SI compared with the current legislation. The whole point of this SI is to maintain an equivalent regulatory framework to protect personal data. The noble Lord, Lord Adonis, quite rightly pointed out that it affects not only UK businesses but mostly EU and EEA businesses, which will have to have representatives in this country, and I will come to that. It is a reciprocal arrangement. If these regulations come into force and we have a UK GDPR, the same necessity for representatives will take place both ways, and I will come to that.
The analysis, to the best of the Government’s ability, of the wider impact of the UK’s exit from the EU was published in the Long-term Economic Analysis in November last year. The noble Lord, Lord Adonis, talked about representatives and Article 27. He is correct that data controllers who offer goods and services to or monitor the behaviour of data subjects in the UK will need to appoint a representative in the UK, but that is a cost to non-UK businesses, which is what the impact assessment is meant to address. He is also correct that there will be organisations in the UK that will be required as a matter of EU law to appoint a representative in the EEA. The ICO provides data controllers with advice on this obligation and will continue to do so. If controllers and processors based abroad are routinely processing data, it is right that they should be accountable in the UK and have a presence here because this is about maintaining the status quo as far as possible, not about rolling back protections for individuals, so the representative is a point of contact for the data subject as well as the supervisory authorities, such as the Information Commissioner.
I want to get some clarity on this and perhaps the Minister will be able to help me. He is quite clear that, for a wide variety of companies, there will need to be one representative in the UK and, he seems to imply, one representative in the EEA. Is that correct, or does there need to be one in each country within the EEA—or does the individual in the EEA have to deal with different regimes because of the different local regulators and because it is representing a third country in its work? I am trying to work out how great the burden that he has indicated will be, even though he does not think that it will be part of the impact.
Before the Minister answers, I would like to press again this idea that an impact assessment is not needed since the impact comes from leaving. I say no to that; it depends how you leave. The Minister and I may differ on the desirability of the Prime Minister’s deal, whatever that is going to be, but there is a difference between crashing out and having a transition with a political declaration which may avoid the need for duplication; we do not know what the data protection provisions will be in the future relationships. We all hope that there will be a strong degree of mutual recognition, but the immediate impact of crashing out with no deal—with a void where any adequacy decision or future reciprocal relationship between regulators would otherwise be—is quite different. First, it is different from having a standstill transition and, secondly, it is different from having the prospect, or at least the hope, of a long-term relationship that preserves something of the single market. We need the impact assessment to assess the difference between those two scenarios; that is what the Minister does not seem to grasp.
I agree with the noble Baroness that, if we leave with a deal, that is a different scenario from leaving with no deal. That seems an obvious fact and it is why the Government are trying to leave with a deal, which is what the Prime Minister is trying to achieve. This is a no-deal exit SI to prepare for that eventuality. If we leave with no deal, the object of the exercise will be to preserve the GDPR standard of data protection, which this SI will do. To return to the point raised by the noble Lord, Lord Adonis—sorry, it might have been raised by the noble Baroness, Lady Kramer—the requirement to appoint one representative in the EEA is, as I said, a result of EU law.
I say again to the noble Lord, Lord Adonis, regarding the impact on business of Article 27, that we think that if controllers based abroad are routinely processing the data of people in the UK then it is right that they should be accountable and have a presence in the UK, because it is about trying to maintain the status quo as far as possible for individuals and not rolling back their data protection. The representative is a point of contact for the data subject as well as supervisory authorities such as the Information Commissioner.
I turn to the points made by the noble Lord, Lord McNally, about the complexity for organisations potentially subject to dual regulation. The point of this instrument was to ensure the minimum disruption to organisations and to data subjects by trying to retain the effect of the data protection legislation where possible. The relationship is absolutely changing but the instrument ensures that we can co-operate on an international level with not only the EU supervisory authorities but those in other countries; that is why we have kept Article 50 of the GDPR. Where he is right, and I accept that he is right in this, is that if we move away from the GDPR—if the UK GDPR moves away from the EU GDPR—that will have consequences for the adequacy decision that we hope to achieve, which will be reviewed by the EU Commission. It is important that the EU has confidence that our data protection regime is “essentially equivalent”, which is what the adequacy decision is based on. Anything that we do in future will have to bear in mind that our data regime is essentially equivalent so that it gives the EU confidence.
I agree with the noble Baroness, Lady Ludford, that in previous times there were elements that were outside EU competence that it could not look at, but now of course in an adequacy decision it will be able to look at those. Again, as it does in other adequacy decisions, it will look at the overall adequacy requirement and say whether or not it is essentially equivalent. That is why the adequacy decision is not immediate. Where we start in a good place compared to other regimes is that we have started with an equivalent regime to the extent that we have enacted the GDPR, which other third countries have not. We start on a level playing field in that respect.
The noble Baroness talked about the US privacy shield and the reason why we are going to lay another set of regulations. The discussions on the US privacy shield were ongoing when this SI was laid and therefore we could not wait. It was our priority to lay this SI so that we had an ongoing regime in the event of no deal. Now that that has been agreed between us and the US, though, another SI will be laid—it may even have been laid—to ensure that the US requirements continue, and I think that will happen very soon.
The noble Baroness asked about the EDPB’s recently published guidance on the implications of the UK’s exit. That guidance confirmed that, if the EU Commission does not make an adequacy decision in respect of the UK, EU firms will need to put in place alternative transfer mechanisms, such as standard contractual clauses to continue to transfer personal data to the UK.
The noble Baroness suggested that the political declaration only covered adequacy. That is not right: paragraph 9 addresses the free flow of data while paragraph 10 addresses regulatory co-operation.
The noble Lord, Lord Adonis, and the noble Baroness, Lady Ludford, talked about consultation. The difference between this SI and many others is that the Data Protection Act came into force less than a year ago; it was enacted after extensive discussions in this House and the other place, after the referendum discussion had taken place. Those noble Lords who participated in the Data Protection Act discussions, which lasted for many weeks, all know that matters such as data adequacy were raised numerous times. The whole purpose of the Act, and the mixture between regulations and derogations from regulations, was that we would be on as level a playing field as we could be when it came to getting an adequacy decision.
I withdraw the word “farce”. However, while the Minister is putting great emphasis on the good fit between what he is proposing and the GDPR, the reason why that good fit exists, as I said in my remarks, is that the GDPR itself was massively influenced by British officials, who played a major role in its construction. What he is gliding over in his assurances is that if, as is likely, there are changes in the European GDPR in future then we will be coming, like the Norwegians, only to listen and accept—because, make no mistake, if there are changes in future, it will be massively in Britain’s interest to accept them. This is the loss of sovereignty that the whole process is trying to glide over. We will not have the same influence on data protection in future as we have had in the GDPR itself, which is why the fit is so comfortable at the moment.
Forgive me, but I would like to follow up on that. I really think the Minister is overselling what is in paragraph 9 of the political declaration. Last June, the Government issued a technical note about wanting a legally binding data protection agreement, and I described that earlier as a “Brexit in name only” kind of arrangement. They wanted that because there are,
“benefits that a standard Adequacy Decision cannot provide”.
Except for one sentence in paragraph 10 that talks about arrangements for appropriate co-operation between regulators, paragraph 9 is about a standard adequacy decision—no less but certainly no more. It talks about the European Commission recognising,
“a third country’s data protection standards as providing an adequate level of protection”.
It is not what the Government hoped for last June. I do not understand why the Government are trying to pretend. We can all read paragraph 9 once we have googled it and reminded ourselves, so to say that it is more than an adequacy assessment process is simply not true.
I understand the point from the noble Lord, Lord McNally, that our new position will not be the same as being in the EU. If we were a third country, I would expect us to have less influence than if we were a member of the EU. I am not denying that; it seems obvious. He is absolutely right that the GDPR was influenced by the UK, not only by officials in the negotiations but specifically by the ICO, which is regarded as one of the leading regulators in Europe. Of course, it will not have the same position as it did if we are not in the EU; I take that point.
However, I do not base everything on just the political declaration, which may or may not have some influence. It is also that we have retained Article 50 of the GDPR. I cannot remember the exact words, but it is on the basis of that that the EU talks about international co-operation with third countries, so there is a mechanism. As I said to the noble Lord, Lord McNally, it will not be the same, but there are bases for international co-operation. The EU wants that to happen and understands that in things such as data protection, you have to have an international consensus. In fact, on that, it is more important to go beyond the EU and do it internationally. Other organisations should—and do—take views on this. I think we are at the start of the journey on control of cross-border data flows and it will provide a further basis to influence behaviour.
On adequacy, it is easy to ask for detailed timelines on when this will take place. It will not take place on exit day, because it is not possible for the EU to give an adequacy decision unless you are a third country. Preliminary discussions—which, as the noble Baroness, Lady Ludford, has indicated, may take some time—could begin now and we are ready to begin those discussions as soon as we can. We are already liaising with the European Commission—in fact, senior officials were in Brussels for talks last week—and we have liaised with member states on this subject. When the EU is ready to begin discussions, we are confident that we will be ready, but it is impossible to say how long that will take because, as the noble Baroness said, it is not a decision that is in our gift.
However, we start from a position of regulatory alignment on data protection. We implemented the GDPR and the law enforcement directive. We have also taken a GDPR approach on data protection to areas that were outside EU competence, such as law enforcement and national security, so we start in a very good position. In fact, it is such a good position that the UN special rapporteur on the right to privacy declared that the UK now co-leads in Europe and globally on privacy safeguards, and has made significant improvements in its oversight system since 2015. He said that,
“the UK has now equipped itself with a legal framework and significant resources designed to protect privacy without compromising security”.
It is important to note that there is a strong mutual interest in data adequacy.
The noble Lord, Lord Adonis, said that it is unsafe to pass this SI. I would like to point out what that would mean, if it is not passed and we have a no-deal exit. It would mean that we would cease to have properly functioning data protection law. The whole basis for adequacy decisions, which I think we all agree is very important, would go, because we would not be on a reciprocal basis—
There are mitigations which prevent that—standard contractual clauses and binding corporate rules. Plus, it depends a lot on the proportionate approach that the regulators in the EU take. There would be an impact; we would have to arrange mitigations, which would be a cost to business. That is what has been set out in the technical notice to business.
The Minister is making a very good case for why there should have been an impact assessment.
I am making a very good case for why we want a deal. As I have said several times, we want a deal.
I think I have been through most of the questions raised by noble Lords. The important thing about this statutory instrument is to have a fully functioning data protection regime. If we go back to the original reasons why we passed the Data Protection 2018 with a fair bit—a lot, I would say—of cross-party support, the reason that it is important is to give individuals protection for their personal data. We must bear that in mind. These regulations will preserve that protection for individuals and set us on the road to a successful conclusion of our adequacy agreement when we get to the stage where the EU will allow us to negotiate it. That is why I beg to move.
(5 years, 9 months ago)
Lords ChamberMy Lords, I think that there may be some misunderstanding about this. The Huffington Post commented on an SI that was laid which is a no-deal SI. The best way that noble Lords and Members of the other place can prevent these changes happening is to agree a deal. However, if there is no deal we have to face the inevitable consequences of that. A lot of the issues that have arisen not only with this subject but with other SIs stem from not distinguishing between the effect of the SI itself and the effect of leaving the EU. In this case, it is not fair to say that we have not prepared for that. In fact, the technical notice that outlined all these considerations was issued in September. It is not a question of simply withdrawing the instrument; if we are no longer in the EU, we will not be able to prevent EU operators increasing charges to UK operators. They will then have to accept those higher charges, which inevitably will be passed on to consumers. The issue is that if we leave the EU we will not be able to participate in the harmonised wholesale roaming prices, so I do not accept the analysis of the noble Baroness. That is why it is not possible to withdraw the SI, if we are acting responsibly in the event of no deal.
My Lords, the best way to avoid these changes is of course no Brexit. Surely the Minister will agree that the slashing of mobile roaming charges in the EU is one of the biggest successes for British consumers, travellers and businesses. British Ministers and MEPs played a big part in this triumph to stop rip-offs and nasty surprises on bills. Now the Government intend to steal this benefit from British citizens, even though they think it likely that costs will be passed on to consumers through the choice they have made. Why have the Government chosen—and it is a choice—not to impose a retail roaming price cap? Is this deregulation policy a foretaste of the Government’s intentions in other sectors? What estimate have the Government made of the total extra costs for a British holidaymaker arising from the reintroduction of roaming charges, the loss of the EHIC card, likely increases in the cost of travel insurance and EU fees for a visa-lite? Should the Government not put this choice back to the British people so that they can decide whether they want to Brexit at all?
I do agree with the noble Baroness on one thing: this has been a great benefit since it was introduced 18 months ago. Of course, it did not exist until then. When we decided to leave, there were inevitable consequences. What I do not understand from her question is how she thinks, within the powers available to the UK, we could do something different. If we set a retail price cap, UK operators will have to accept all the increased charges and as sure as anything, those will have to be passed on to all consumers. The difference is that she would penalise all consumers, while this measure affects only those who roam in the EU.
(6 years, 11 months ago)
Lords ChamberMy Lords, I thank the Minister for moving his amendment and for his concluding remarks, which I will return to. I welcome this amendment, and the implication it carries that the Government have listened to the discussions we have had in the last few weeks and have moved from their initial position.
I will speak to Amendment 2, which I am delighted has also been signed by the noble Baroness, Lady Ludford. I am sure that your Lordships’ House will recognise that, in bringing forward a revised draft, we have reflected very deeply on the points made by noble and noble and learned Lords in the debate on the original amendment moved in Committee. In addition to noble Lords who spoke on that occasion, I thank the academic and practising lawyers—as well as many in industry—who have contributed to our emerging thinking on this topic. Before it was submitted to the gruelling process that happens to all amendments when they go to the Public Bill Office, I sent an earlier draft of this amendment to many Members of this House who spoke in that earlier debate. I am grateful for the comments I have received.
It is unusual to have two amendments bearing on very similar points. It is an advantage to be able to see the conflicting, and often overlapping, thinking that has gone into this. It is clear to all who have read both and thought about them that, while we are not yet in full agreement, we are very close. Indeed, I venture to suggest that there is more that unites us on this issue than divides us. What do we agree on? We both recognise that the key data protection rights currently enjoyed by citizens in the UK crucially underpin any assessment of adequacy that might need to be made by the EU post Brexit. They are crucial for the future of our successful data-handling industry. We both want the key data protection rights currently enjoyed by citizens in the UK to continue once the Bill becomes law, while the GDPR is in force, and then after Brexit—if that happens. We agree that the key question to be determined is not the exact wording of one or other but whether it is necessary for these key rights, currently enjoyed by UK citizens through Article 8 of the EU Charter of Fundamental Rights, to be expressed clearly for all to see on the face of the Bill, or whether their existence in various parts of the Bill—and in the GDPR and its recitals—is sufficient.
By putting down their own amendment on this issue, the Government seem to agree that explicit references in the Bill will be helpful, for the reasons given above. We now need to get together to find a form of words which will achieve this aim and which we can both support. I therefore agree with the noble Lord that the right thing to do is for both sides to withdraw their amendments on this issue today and for the Minister to confirm—as he has done—that the matter is of sufficient importance to be brought back for further consideration at Third Reading. If he will agree to that, I will not move my amendment when it is called.
My Lords, I also welcome the fact that we are in touching distance of an agreement on this matter. I thank the Minister for bringing forward Amendment 1. However, there is a little way to go. Amendment 1 is declaratory of what is contained in the Bill, whereas Amendment 2 is rather stronger and clearer.
Embedding a general right to data protection inspired by the Charter of Fundamental Rights is not only important for UK citizens but, as we have agreed in many debates and exchanges in this House, it is crucial for unhindered data flows between the UK and the European Union if we Brexit. It is absolutely crucial for business and law enforcement to be able to exchange data and have access to EU databases, such as the Schengen Information System, Europol and so on. The Government’s review of the charter, which was also most welcome and was produced last week, says that,
“domestic courts will be required to interpret retained EU law consistently with the general principle reflected in Article 8, so far as it is possible to do so”.
Is the Minister able to elucidate what that caveat leaves out? What would not be possible?
In the Watson case, to which the Brexit Secretary was a party until he became the Brexit Secretary, the European Court of Justice found that the current UK data protection regime in relation to data retention and acquisition was incompatible with Article 8 of the charter. This demonstrated the deep importance that the European Union places on charter rights in the protection of privacy. The draft resolution that the European Parliament is due to debate and vote on this Wednesday, on the joint report on the phase 1 divorce agreement that was reached last Friday,
“underlines that it will accept a framework for the future EU-UK relationship as part of the Withdrawal Agreement only if it is in strict concordance with the following principles”,
including the,
“United Kingdom’s adherence to the standards provided by international obligations, including fundamental rights … data protection and privacy”.
So we can expect this to be a very important matter, on which there will be a spotlight in the consideration of an adequacy assessment by the European Commission, which I think we all agree it is essential to achieve.
As I said in Committee, the adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the United Kingdom. Of course, this will include the law and practice in terms of national security, which at the moment—rather ironically, or perversely—are excluded under the EU treaties. Once we are outside—if we are—there will be closer examination of how privacy fares in relation to the demands of national security than there is while we are in the EU. In that context, the national security issues in the Bill, which will be further debated as well, will perhaps take on a heightened importance.
On these Benches we believe that the rights under the charter in relation to data protection should be reflected in the Bill so as to have a general right to the protection of personal data in UK law. I very much agree with the course advocated by the noble Lord, Lord Stevenson, to reflect further and to accept the Government’s offer to come forward at Third Reading with something that we could all agree on.
I thank the Minister for his response. I was glad that he addressed the question of an adequacy assessment at the end of his remarks, but with respect, it is not enough—or adequate—to address an adequacy assessment only at the point of asking for it. We must lay the foundations now. I cannot see the point in storing up potential problems when we could solve the problem of the basis. We ought to do everything in that prism. We can have delightful legal discussions—it is important to get the law right—but this is also crucial to business. We have had so many representations on that point. I am sure that the Minister’s colleague, the Secretary of State for Digital, Culture, Media and Sport, is preoccupied with this question. Surely we need to front-load our response? We cannot wait until the UK applies for an adequacy assessment to be told, “Well, it’s a pity that you didn’t enshrine the principles and the essence of article 8 of the charter”. We have a chance to do that now and ensure a solid platform for requesting an adequacy assessment. I admit that I am puzzled as to why the Government would not want to do that; it is important for law enforcement as well. Why would we not want to solve that problem now, instead of finding later that we have entirely predictable problems as a result of not doing so?
I completely agree with the noble Baroness. We have applied the GDPR principles to areas such as defence, national security and the intelligence services in different parts of the Bill so that when we seek an adequacy arrangement, we can say to the EU that we have arranged a comprehensive data protection regime that takes all the GDPR principles into account, including areas that are not subject to EU law. That is why, contrary to what we said in Committee, we have taken the arguments on board and tabled government Amendment 1 to provide reassurance on that exact point. We originally said that the rights under article 8 were contained in the Bill, but we are now putting further reassurance in the Bill. Other areas of the Bill, without direct effect, signpost how the Bill should be regarded.
The noble Baroness supports the amendment but would like, I think, to create a free-standing right. I have explained why we do not agree with that. Before Third Reading, we will try to seek a form of words in our amendment that provides more reassurance, so that when it comes to seeking an adequacy decision—we cannot do that until we leave the EU—there will be no doubt about what this regime provides. That would be the best way to do it, I think.
(7 years ago)
Lords ChamberMy Lords, I am also pleased, as co-signatory, to support the amendment, the purpose of which is to retain in domestic law wording from the European Charter of Fundamental Rights concerning data protection. This is for the benefit of British citizens and to help ensure that vital data flows for business and law enforcement can continue if we Brexit.
The specific article in the EU charter, Article 8 on data protection, is stronger in this respect than the older non-EU European Convention on Human Rights, which deals with privacy only under the rubric of protection of family and personal life. The Government plan that the charter should cease to be part of UK domestic law after Brexit in Clause 5(4) of the European Union (Withdrawal) Bill. This broader issue will be considered as part of the scrutiny of that Bill, and there is a cross-party amendment tabled in the House of Commons and led by Dominic Grieve MP to remove that clause such that the charter continues to apply domestically in the interpretation of retained EU law. Liberal Democrats strongly support that amendment, but it seems appropriate not to wait for or depend on the success of that broader effort and at least effectively to embed the thrust of the charter as it concerns data protection in this Bill, which largely concerns EU law.
This is extremely important because if we Brexit, the UK will seek from the European Commission an adequacy decision on UK data protection so that transfers between the UK and the EU can continue smoothly—an objective the Prime Minister has singled out for mention. If we leave, EU states may no longer be able to share data with us unless our legal regime on matters including state surveillance powers aligns with EU requirements. The adequacy assessment will be wide-ranging, taking in all aspects of law and practice in the UK. The embedding of the charter’s data protection right in this Bill would be an important safeguard for business continuity—especially for tech companies, which depend crucially on the free flow of data—as well as ensuring that essential cross-border police and intelligence co-operation is not disrupted.
I, my noble friends Lord McNally and Lord Paddick, and other noble Lords raised at Second Reading the need for measures to protect us from threats, not to undermine our civil liberties. We are used to the European Court of Human Rights ruling on privacy issues, several times finding the UK in breach of the convention, but more recently in the digital age it is the European Court of Justice—the EU court—that has come into play as EU law on protection of electronic communications and the provisions of the Charter of Fundamental Rights has begun to bite. The Snowden revelations brought heightened sensitivity about the extent of the legitimacy of the activities of our intelligence services.
The EU data retention directive—the EU law on mandatory mass data retention—was pushed through Brussels in 2005 when the UK had the presidency of the EU by the then UK Home Secretary in an expert piece of lobbying after the London bombings of that year. In a landmark 2014 judgment, the court struck it down as incompatible with the right to respect for private life and data protection under Articles 7 and 8 of the charter. Then, as mentioned by the noble Lord, Lord Stevenson, the judgment on DRIPA last December—technically, the Tele2/Watson case, although initially also involving the then Back-Bench David Davis MP—continued in the same vein, declaring that mass data retention was “disproportionate” to citizens’ rights to privacy. Its implications for the Investigatory Powers Act and the question of whether bulk collection of communications data could be permitted to infringe privacy on the grounds of pursuit of serious crime or threats to national security may be ascertained by the reference to the European court made by the Investigatory Powers Tribunal in September. Certainly, the wide range of powers in the Investigatory Powers Act might look vulnerable to being found in conflict with EU law. The Independent Reviewer of Terrorism Legislation, Max Hill, suggested that it was unclear whether the ruling in the Watson case on safeguards for data retention regimes could be interpreted as applicable to national security.
It is true that while in the EU the national security exemption from EU competence applies but, as was brought out at Second Reading, if we were outside the EU the arrangements for our intelligence agencies would go into the whole mix that is assessed for compliance with EU standards. The court’s decision in July, rejecting the legality of the EU agreement with Canada on the transfer of passenger name record details, provides a salutary lesson in how the court approaches third-country transfers. It struck down the agreement because several of its provisions were incompatible with EU fundamental rights. It is therefore crucial that we embed the wording of Article 8 of the charter.
The Labour Opposition have tabled an amended version of Amendment 4, namely Amendment 4A. This is an interesting variation and I look forward to learning a bit more as we progress about exactly how the new wording would work. As I understand it, the safeguards in subsection (1) of the proposed new clause and the first part of subsection (2), which are replicated from Amendment 4, would and should still govern the,
“provisions, exceptions and derogations of this Act”,
otherwise, the point of writing in safeguards is undermined.
I wonder about the reference to,
“purposes as set out in the GDPR”,
since the GDPR is concerned only with the processes for data manipulated in accordance with purposes set down in other instruments. I am slightly unclear about that.
I believe that there has been concern about a conflict with press freedom. Of course we are suffering here from the fact that we have only a partial bite from the charter, which contains a firm provision on freedom of expression and information as well as on the right to security. When we succeed in retaining the whole charter in domestic law via the EU withdrawal Bill, the whole balancing exercise will become more apparent than with this snapshot. In the meantime, we have to proceed with entrenching this partial aspect of the charter as concerns data protection.
My Lords, the problem with Amendment 4 is that it would not incorporate the charter provision relating to personal data. The reason for that is that it addresses the prima facie right to the protection of personal data, but not the limitations and exceptions recognised by the European charter itself. Article 8, like all the other rights in the European charter, is subject to the limitations stated in Article 52. That says that there can be limitations on protected rights if they are provided for by law, are necessary and meet,
“objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”.
It is because there has to be a balance between this prima facie right and exceptions and limitations that the Bill contains a very large number of exemptions which cover a whole range of circumstances in which the rights of the data subject have to give way to other considerations, such as national security, the detection of crime, taxation, judicial appointments or confidential references for employment. There are many such exemptions.
The Bill contains exemptions because there are other interests in this area, and other rights, which conflict with the right to protection of personal data, and a fair balance is required. The Committee will want to debate the scope of those exceptions and limitations and be satisfied that the balance has been struck correctly. But Amendment 4 suggests that there is some absolute right to the protection of personal data. That is simply wrong. That is why, I imagine, the noble Lord, Lord Stevenson, has tabled manuscript Amendment 4A, which attempts to address the defect in Amendment 4.
I would have wished for more time to consider Amendment 4A, which I understand was tabled only this morning, particularly if the noble Lord, Lord Stevenson, intends to divide the Committee today. I am concerned that Amendment 4A poses two difficulties of its own. First, the value of including Amendment 4A is not clear to me. The Bill already sets out in considerable detail the domestic implementation of the charter obligation; that is, Article 8 read with Article 52. I fear that including Amendment 4A in the Bill would be likely to cause legal confusion and uncertainty in an area where precision and clarity are essential—and, indeed, are provided by the substance of the detailed provisions in the Bill.
Secondly, I fear that the purpose of Amendment 4A is to confer some special, elevated legal status on Article 8 rights concerning personal data for the future, as subsection (4) suggests. I think that would be very unwise because, as I have said, Article 8 rights often conflict with other rights—whether it is freedom of expression, which we heard about, or the right to property—or other interests. The detailed provisions of the Bill illustrate the difficult choices that have to be made in this area.
Amendment 4A seeks to give a special legal status to one charter right in isolation and that is simply inappropriate. For those reasons, I hope that the noble Lord, Lord Stevenson, will not divide the Committee on Amendment 4A. If he does, I will vote against it.
(7 years, 1 month ago)
Lords ChamberMy Lords, I welcome the modernisation of data protection law that the Bill represents and the intention to comply with EU law in the regulation and directive—which of course we must do while we are still in the EU. I am particularly concerned with the future and the prospects for an adequacy decision from the Commission if we find ourselves outside both the EU and the EEA. A failure to get such a decision would be extremely harmful for both businesses and other organisations and for law enforcement.
I will look briefly at the past. In 2013 in the European Parliament I was one of the lead MEPs establishing the Parliament’s position on the regulation. I believe that we did a decent job—that was before the negotiations with the Council, which watered it down somewhat. The Government rightly acknowledge that the new system will build accountability with less bureaucracy, alleviating administrative and financial burdens while holding data controllers more accountable for data being processed—backed up by the possibility of remedies for abuse including notable fines. But the purpose is to provide incentives to build in privacy from the beginning through such instruments as data protection impact assessments and having a data protection officer, through data protection by design and default—thereby avoiding getting to the point of redress being necessary. As an aside, the routine registration with the Information Commissioner’s Office will be abolished, and I am not aware of how the ICO will be funded in future, because that was a revenue stream.
I will say briefly that the new rights that are in the regulation include tougher rules on consent, so we should see the end of default opt-ins or pre-selected tick boxes. That will probably be one of the most visible things for consumers; I hope that it does not become like the cookies directive, which has become a bit of a joke. The need for explicit consent for processing sensitive data is important, as is the tightening of conditions for invoking legitimate interests.
There are several matters which will give improved control over one’s own data, which is very important. There is also the right to be told if your data has been hacked or lost—so-called data breach notification—and a strengthened ability to take legal action to enforce rights. All these are considerable improvements. However, I am rather concerned about the clarity of this very substantial Bill. It is explained that the format is chosen to provide continuity with the Data Protection Act 1998, but whether or not as a result of this innocent, no doubt valuable, choice, it seems to me that some confusion is thereby created.
First, there is the fact that the GDPR is the elephant in the room—unseen and yet the main show in town. You could call it Macavity the cat. The noble Lord, Lord Stevenson, dubbed the Bill Hamlet without the Prince. Traces exist without the GDPR being visible. Is the consequent cross-referencing to an absent document the best that can be done? I realise that there are constraints while we are in the EU, but it detracts from the aims of simplicity and coherence. Apparently, things are predicted to be simpler post Brexit, at least in this regard, when the GDPR will be incorporated into domestic law under the withdrawal Bill in a “single domestic legal basis”, according to the Explanatory Memorandum. Does that mean that this Bill—by then it will be an Act—will be amended to incorporate the regulation? It seems odd to have more clarity post Brexit than pre-Brexit. It would no doubt be totally unfair to suggest any smoke-and-mirrors exercise to confuse the fact of the centrality of EU law now and in the future.
Secondly, we seem to have some verbal gymnastics regarding what “apply” means. The departmental briefing says that the Bill will apply GDPR standards, but then we have the so-called “applied GDPR” scheme, which is an extension of the regulation in part 2, chapter III. Can the Minister elaborate on precisely what activities part 2, chapter III covers? The Bill says that manual unstructured files come within that category. I do not know how “structured” and “unstructured” are defined, but what other data processing activities or sectors are outside the scope of EU law and the regulation, and are they significant enough to justify putting them in a different part?
Looking forward, I want to mention some of what I see as the possible weaknesses in the Bill which might undermine the potential for an adequacy decision for data transfers to the EU and the EEA. The future partnership paper published in August, which has already been mentioned by the noble Lord, Lord Jay, referred to a UK-EU model which could build on the existing adequacy model. Can the Minister explain what that really means? As the noble Lord, Lord Jay, said, while national security is outside EU law, when it comes to assessing the adequacy of our level of data protection as a third country, we could find ourselves held to a higher standard because the factors to be taken into account include the rule of law and respect for human rights, fundamental freedoms and relevant legislation, including concerning public security, defence, national security, criminal law and rules for the onward transfer of personal data to another third country. Therefore, our data retention and surveillance regime, such as the bulk collection of data under the Investigatory Powers Act, will be exposed to full, not partial, assessment by EU authorities. This will include data transfers, for instance to the United States, which I would expect to be very much under the spotlight, and could potentially lead to the same furore as other transatlantic transfers. I lived through a lot of that. I remember that in 2013 there was a lot of flak about the actions of the UK, but nothing could be done about it because we are inside the EU. However, in the future it could.
There are also a number of aspects in the Bill in which the bespoke standards applied to intelligence agencies are less protective than for general processing, such as data breach reporting and redress for infringement of rights. We will need to give serious thought to the wisdom of these, looking to the future. This will not just be a snapshot on Brexit day or even on future relationship day, because at issue will be how our standards are kept up to scratch with EU ones. The fact that with another part of their brain the Government intend to decline to incorporate the European Charter of Fundamental Rights into UK domestic law, with its Article 8 on data protection, will not help the part of the governmental brain which looks forward to the free flow of data exchange with the EU. Our Government seem to be somewhat at cross purposes on what their future intentions are.
I will highlight, rather at random, some other examples which need reflection. We may need seriously to look at the lack of definition of “substantial public interest” as a basis for processing sensitive data, or even of public interest. I think the noble Lord, Lord Stevenson, mentioned the failure or the non-taking-up of the option under Article 80(2) of the regulation to confer on non-profit organisations the right to take action pursuing infringements with the regulator or court. This omission is rather surprising given that a similar right exists for NGOs, for instance, for breach of other consumer rights, including financial rights. Perhaps the Minister could explain that omission.
There is also concern that the safeguards for profiling and other forms of automated decision-making in the Bill are not strong enough to reflect the provisions of Article 22 of the GDPR. There is no mention of “similar effects” to a legal decision, which is the wording in the regulation, or of remedies such as the right of complaint or judicial redress.
Very significant is the power for the Government under Clause 15 to confer exemptions from the GDPR by regulation rather than put them in primary legislation. That will need to be examined very carefully, not only for domestic reasons but also because it could undermine significantly an adequacy assessment in the future.
I will make one or two points in the health and research area. The Conservative manifesto commitment to,
“put the National Data Guardian for Health and Social Care on a statutory footing”,
is not fulfilled in the Bill; perhaps the Minister could explain why not. I would also expect clarification as the Bill proceeds on whether Clauses 162 and 172 sufficiently protect patients’ rights in the use or abuse of medical records. We know this is a sensitive issue given the history in this area, particularly of care data and other attempts to inform patients.
As a final point, I am glad that the research community was broadly positive about the compromises reached in the GDPR, although they were less explicit than the Parliament’s position. That leads to some uncertainty. I took note of what the noble Baroness, Lady Neville-Jones, said. Therefore, close examination will be merited of whether the Bill provides a good legal framework with sufficient legal basis for research, which many of us have all sorts of interests in promoting, balanced with a respect for individual rights. I very much hope this will be explored carefully at future stages.