(4 years, 11 months ago)
Lords ChamberMy Lords, I support this amendment, of which I am a co-signatory. I very much agree with what the noble Lord, Lord Stevenson, said, though I fear I might add a few questions for the Minister. As he said, free data flows across borders are an essential foundation of many key sectors of our economy, not just the tech industry as such but manufacturing, retail, health, information technology and financial services. It is vital that the free flow of data between the UK and the rest of the EU continues post Brexit with minimum disruption.
The European Union Select Committee, in its recent report on the revised withdrawal agreement and political declaration, pointed out that there was a lowering of ambition in the political declaration compared to what we have now as part of the EU’s digital single market. We have free flows, whereas the political declaration talks only about the “facilitation” of data flows. That is not the same as “freedom” of data flows. A host of organisations and the Information Commissioner have all persuasively argued that we need to ensure that our data protection legislation and practices are ruled as adequate. That is why it is so important that we get these regular reports and, as the amendment says, that we discover what the policy of HMG is if we do not have a data adequacy agreement after the end of transition.
We cannot take such a decision for granted merely because the GDPR more or less forms part of UK law. A major obstacle to an adequacy ruling is, of course, the bulk data provisions in the Investigatory Powers Act 2016, particularly in the light of the European Court of Justice decision in Tele2/Watson, the case brought by David Davis and Tom Watson over the legality of GCHQ’s retention and bulk interception of call records and online messages. That judgment ruled that UK mass surveillance laws breach the Charter of Fundamental Rights.
Just today there has been an opinion from the Advocate-General, the court’s legal adviser, who tends to get followed in 80% of ECJ cases, on a case which involves Privacy International, and a reference from the Investigatory Powers Tribunal. The Advocate-General has reinforced EU privacy law against mass retention and access to customer data by GCHQ, MI5 and MI6. I think this concerns provisions in Section 94 of the Telecommunications Act 1984. So we may get a second CJEU ruling, which will be problematic for any adequacy ruling given the very explicit requirements of Article 45(2)(a) of the GDPR, requiring the commission to consider
“respect for human rights and fundamental freedoms”,
as well as
“national security … and the access of public authorities to personal data … and … international commitments”.
They will probably want to look at any potential transatlantic transfers agreed with President Trump.
It is already clear that many aspects of the Investigatory Powers Act fall short of satisfying the CJEU criteria. The purposes of retention are not limited to fighting serious crime, data retention is not targeted to what is strictly necessary, prior independent review or judicial authorisation is not required in all cases, and there is no provision for informing individuals.
What are the Government going to do in the area of the powers of intelligence agencies to satisfy the European Commission—and the European Parliament, where I had some experience of this, particularly in the era of the Edward Snowden revelations, when many in the Parliament were jumping up and down about GCHQ but there was nothing they could do about it while we were in the EU? Once outside, we actually get much stricter scrutiny about our interception practices than when we are inside; it is something of an irony, really. Then there is the problem about the exception for immigration data in the Data Protection Act 2018. The EU will no doubt closely monitor how the Home Office reviews settled status applications and whether data subjects can obtain full access to their personal data if there are disputes or problems about their status.
In addition, we discussed earlier today the accusation —it seems stronger than that—that the UK has illegally copied, and therefore misused, the Schengen Information System database by copying it into a national database and even sharing it with private companies. The commission report says that UK practices
“constitute serious and immediate risks to the integrity and security of SIS data as well as for the data subjects”.
That is another area where we are going to be under strict review. There is the trust issue, which we also discussed earlier today about the criminal records fiasco—I think one would have to use that word.
There are lots of questions and challenging reviews that the Government will have to answer in seeking data adequacy decisions. We need to know what steps they have taken so far to achieve this decision. Will they apply to continue to participate in the European Data Protection Board? What will they do if we get turned down for a data adequacy agreement? Anything else is second best. Have the Government thought through what their strategy will be if they do get refused? Will they change the legislation on handling personal data for national security purposes? Those are a lot of questions, but it is a very significant area of the negotiations with the EU 27. From past experience, I know that the European Commission will be very much on the ball— not least because of the eagle eye that the European Parliament will have on this area—so the Government have to be as well.
I thank the noble Lord, Lord Stevenson, and the noble Baroness, Lady Ludford, for this amendment, which seeks to add additional scrutiny to the data adequacy assessment process by introducing a bespoke statutory reporting requirement. It has certainly been very useful in drawing attention to the importance for both the UK and the EU of the UK pursuing and obtaining positive data adequacy decisions to enable the free flow of personal data after we exit the EU. It is also helpful that the noble Lord highlighted the success of our tech sector, which I thoroughly echo. I am sure that my noble friend the Secretary of State shares that view.
The free flow of personal data is an important feature underpinning the UK and the EU’s future relationship for economic and security purposes. The UK is currently a global leader in strong data protection standards, and protecting the privacy of individuals will continue to be a priority. The noble Baroness, Lady Ludford, referred to a lack of ambition. I do not think there is any lack of ambition on the part of the Government in this area. The Data Protection Act 2018 strengthened UK standards in line with the EU GDPR and law enforcement directive, providing a unique starting point for these discussions. The UK is ready to begin the adequacy assessment process and we are pleased that the EU has committed, in the political declaration, to the Commission beginning its assessment of the UK as soon as possible after our withdrawal, endeavouring to adopt adequacy decisions by the end of December 2020.
Before I try to answer some of the questions posed, I hope it will be helpful to touch briefly on some of the preparation that has been going on in government for the last two years for this eventuality. The Government established a data adequacy negotiation hub which sits within the Department for Digital, Culture, Media and Sport. It was set up early in 2018 and includes experienced experts in both data protection and negotiation. They are ready and waiting and keen to start negotiations with the Commission now.
This amendment would introduce a bespoke statutory reporting requirement, as we heard, covering the assessment period. However, as we heard very eloquently from my noble friend Lord Callanan earlier, there is a need for flexibility of reporting during what will be at times, I am sure, sensitive negotiations. While the Government are absolutely clear in our responsibilities to keep Parliament updated on that progress, and that obviously includes your Lordships’ House, we do not believe that such a rigid regime is appropriate. Obviously, both Houses have an array of tools at their disposal to scrutinise the Government, including through their Select Committees: I refer to the recent report of the Lords EU Committee, which scrutinised the revised withdrawal agreement and political declaration and concluded that the provisions on data protection were to be welcomed.
In this context, we believe there is no need for further bespoke reporting requirements for data adequacy, particularly as setting these out in legislation may have unintended consequences, as was discussed earlier this afternoon. I shall now try to address some specific points, but I am very grateful to the noble Lord, Lord Stevenson, for his offer that I might write to cover some of them.
In a sense, both noble Lords asked about the spirit which would underpin our approach to moving forward in these negotiations. Our aim is to try to find the right way to safeguard privacy while both promoting trade and innovation and protecting citizens from crime and terrorism. All those things are crucial to fully realising the opportunities from the data economy.
I am sorry to interrupt the Minister, but the fact is that the CJU has condemned our regime under the Investigatory Powers Act. The European Commission will have to take account of that, so to say that we and the EU have common high standards is not entirely borne out by the facts. The CJU has criticised, in a full judgment, the Investigatory Powers Act. How will we cope with that in the search for data adequacy?
As the noble Baroness understands very well, the adequacy discussions will be broader than strictly personal data and data protection, and will cover these issues. It will be our role to explain to and convince the EU of that, which we are confident we can do.
Similarly in relation to immigration data, which the noble Baroness raised, we believe that there are some misunderstandings about how this provision works. Rather than going into that detail tonight, I can write to her on this. However, we are confident that the provisions included in the Act are fully compatible with EU law, although clearly we recognise that they will be closely scrutinised.
The noble Lord, Lord Stevenson, asked about the independence of the Information Commissioner’s Office. We believe that the ICO is a strong, independent and effective regulator and that its relationship with DCMS upholds that independence. We really do not have concerns that this will be an issue in relation to adequacy.
The noble Baroness referred to the opinion received today from the Advocate-General of the EU; as she said, the opinion is non-binding and the impact will happen only when we have the court’s judgment, although I note her comments on the probability of that. Since the opinion was published only a few hours ago, my officials are currently digesting it, so noble Lords will understand that our ability to comment on these proceedings is limited.
The noble Lord, Lord Stevenson, asked about recitals in the future UK GDPR which still include the EU terminology. Recitals are non-binding in both EU GDPR and future UK GDPR. They are there only as an aid to interpretation and we do not believe that the references to the EU will be confusing.
The noble Baroness, Lady Ludford, referred to the Schengen Information System. I understand that the House will discuss the UK’s access to several EU law enforcement databases on the next amendment. If she will permit it, I think it would be easier to return to that question then.
Both noble Lords asked what will happen if an adequacy decision has not been granted at the end of the implementation period. Obviously both sides have committed clearly, and it is an absolute priority, to make this work, but in the event that an agreement is not reached, the Government have already done a huge amount around no deal, working proactively to communicate companies’ responsibilities in this area—particularly in relation to smaller companies, which we know might find this more challenging. The Information Commissioner’s Office produced a portal to support organisations preparing the standard contractual clauses referred to by the noble Lord, Lord Stevenson.
I fear that time may not permit me to answer any more questions but I will endeavour to write and cover all the important points made. I hope that I have managed to reassure the noble Lord that, once adequacy discussions are under way, both Houses will continue to use all the available scrutiny tools at their disposal to ensure that they are absolutely appropriately informed on the Government’s data adequacy progress and policy. I hope that he will feel able to withdraw his amendment.