(5 years, 9 months ago)
Lords ChamberMy Lords, first I have a couple of housekeeping questions which I hope are not too banal. I find considerable difficulty using the legislation.gov.uk website and its search function. Will the Minister ask his civil servants to check it out? Even if you search for “data protection 2019” under UK SIs, both the previous one and this are difficult to find. There was a 19 December version of these regulations, which were replaced in January. I must admit that I have not pored over every line of both to find the differences. Will the Minister explain why that was necessary?
Secondly, I want to ask about the absence of an impact assessment. Paragraph 12 of the Explanatory Memorandum states that:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”.
The pretext is that, while the Government recognise that:
“Data flows from the EEA to the UK may be restricted post-exit”—
because, if there is no deal, we will be plunged into a situation where there is no legal framework and no adequacy decision—
“that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
That is the justification for having no impact assessment. However, if we left with a withdrawal deal and a transition there would be a legal framework, so this instrument, which provides for both a no-deal scenario and one in which there would be no adequacy decision, surely merits an impact assessment as well as the consultation to which the noble Lord, Lord Adonis, referred.
As the ICO has made clear, and as has been mentioned already, businesses may have to deal both with the ICO and with European data protection authorities in every EU and EEA state where they have customers. They may need a European representative if they process the data of people resident in the EEA or have customers in the EEA. There would be additional complexity if they had to comply with both the GDPR and the UK GDPR. They could face concurrent legal claims in both the UK and the EEA. Will the Minister amplify the justification for having no impact assessment? Data flows are crucial to many businesses, not just the tech industry—there is hardly a business or other organisation that they do not affect—so the rather blasé claim that no impact assessment is needed is not justified.
I am a bit confused—it may just be my lack of understanding—about the situation regarding EU adequacy decisions on third countries. Paragraph 2.8 of the Explanatory Memorandum says there will be,
“incorporated into UK domestic law … EU decisions on the adequacy of third countries and on standard contractual clauses, both of which are relevant for … international transfers”.
Paragraph 2.13 says:
“It will not be necessary to retain the EU decisions on adequacy and standard contractual clauses … so these are revoked by this instrument”.
If I have understood the Minister’s presentation, this is explained by the fact that we are recognising and incorporating past EU adequacy decisions, but that in the future, in a no-deal scenario, the UK will take over that function: I venture to suggest that that is not very clearly explained in the Explanatory Memorandum.
Would it help if I just said that the noble Baroness is absolutely right in her interpretation?
I do not often get that response from Ministers, so that is very gratifying.
Also, a second version of these regulations was published at the end of last week—I think the Minister referred to it—which is specifically about privacy shields in the US. I am rather surprised that we will have two separate considerations: why could they not have been incorporated into this debate? As the ICO pointed out in a notice a while ago, US companies will need to update their privacy shield commitments to state that they apply to transfers of personal data from the UK. That is a big deal for many companies. It is another reason for what I said about the need for an impact assessment. If that does not happen, a lot of companies will be in serious difficulty.
Will the Minister tell us what advice the Government are giving businesses on using standard contractual clauses or binding corporate rules in the absence of an adequacy decision? The European Data Protection Board issued a notice about this last week, on 12 February. Are the Government going to advise businesses, large and small, exactly how this will work? Lastly, what progress is being made on an adequacy decision? The Minister will know from discussions during the passage of the EU withdrawal Act and the Data Protection Act that many of us are worried about this issue. Last summer, the Government expressed their aspiration for a legally binding agreement that would be more than a unilateral adequacy decision and which would enable the ICO to have a seat on the European Data Protection Board. Essentially, it would be Brexit in name only and would retain all the benefits of being in the EU with regard to data protection structures. That aspiration is not recognised in the political declaration, which talks only about an adequacy decision, so the UK has been knocked back in that area. Perhaps the Minister could tell us precisely where we are. What signal is he getting from the Commission on an adequacy decision? Are we talking months or years?
My Lords, I took the advice of the noble Lord, Lord McNally, that it would not be easy—and he has proved to be right. It is reasonable to take on board the frustrations that some of these SIs have caused—in my view, not so much because of the process which is gone through but the fact that some noble Lords do not want to leave the EU and are highlighting the effects. What they are highlighting may well be the case, but when we are trying to pass an SI such as this one we need to concentrate on its effect and—that did not take long.
I am sorry but the Minister must accept this. It is absolutely true—I speak for myself and my Benches—that we would prefer to remain in the EU, but that is not the point about an impact assessment. There is a difference between crashing out with no deal and a transitional period when EU law would continue to be applicable and we would not need all these arrangements. That is what an impact assessment would have to assess. This is about a no deal crash-out and it is perfectly valid to distinguish that from an advocacy of remain.
I agree. That is why the Government are making all efforts to secure a deal. We agree that a deal is the best situation for the country. We are at one with that.
In answer to the noble Baroness, I will start with something which is my responsibility—the legislation.gov.uk website provided by the National Archives. I will take up the matter with it. I am told that it may be helpful to search for “draft statutory instruments” rather than “statutory instruments”. I certainly listened to what she said about the website not working and will check what we need to do.
The noble Baroness, the noble Lord, Lord Adonis, and others talked about the impact assessment and asked why it has not been published. The impact of this instrument, not the impact of leaving the EU, was assessed in line with standard practice following the existing Better Regulation framework. It is focused on the direct impact of the relevant SI compared with the current legislation. The whole point of this SI is to maintain an equivalent regulatory framework to protect personal data. The noble Lord, Lord Adonis, quite rightly pointed out that it affects not only UK businesses but mostly EU and EEA businesses, which will have to have representatives in this country, and I will come to that. It is a reciprocal arrangement. If these regulations come into force and we have a UK GDPR, the same necessity for representatives will take place both ways, and I will come to that.
The analysis, to the best of the Government’s ability, of the wider impact of the UK’s exit from the EU was published in the Long-term Economic Analysis in November last year. The noble Lord, Lord Adonis, talked about representatives and Article 27. He is correct that data controllers who offer goods and services to or monitor the behaviour of data subjects in the UK will need to appoint a representative in the UK, but that is a cost to non-UK businesses, which is what the impact assessment is meant to address. He is also correct that there will be organisations in the UK that will be required as a matter of EU law to appoint a representative in the EEA. The ICO provides data controllers with advice on this obligation and will continue to do so. If controllers and processors based abroad are routinely processing data, it is right that they should be accountable in the UK and have a presence here because this is about maintaining the status quo as far as possible, not about rolling back protections for individuals, so the representative is a point of contact for the data subject as well as the supervisory authorities, such as the Information Commissioner.
I want to get some clarity on this and perhaps the Minister will be able to help me. He is quite clear that, for a wide variety of companies, there will need to be one representative in the UK and, he seems to imply, one representative in the EEA. Is that correct, or does there need to be one in each country within the EEA—or does the individual in the EEA have to deal with different regimes because of the different local regulators and because it is representing a third country in its work? I am trying to work out how great the burden that he has indicated will be, even though he does not think that it will be part of the impact.
Before the Minister answers, I would like to press again this idea that an impact assessment is not needed since the impact comes from leaving. I say no to that; it depends how you leave. The Minister and I may differ on the desirability of the Prime Minister’s deal, whatever that is going to be, but there is a difference between crashing out and having a transition with a political declaration which may avoid the need for duplication; we do not know what the data protection provisions will be in the future relationships. We all hope that there will be a strong degree of mutual recognition, but the immediate impact of crashing out with no deal—with a void where any adequacy decision or future reciprocal relationship between regulators would otherwise be—is quite different. First, it is different from having a standstill transition and, secondly, it is different from having the prospect, or at least the hope, of a long-term relationship that preserves something of the single market. We need the impact assessment to assess the difference between those two scenarios; that is what the Minister does not seem to grasp.
I agree with the noble Baroness that, if we leave with a deal, that is a different scenario from leaving with no deal. That seems an obvious fact and it is why the Government are trying to leave with a deal, which is what the Prime Minister is trying to achieve. This is a no-deal exit SI to prepare for that eventuality. If we leave with no deal, the object of the exercise will be to preserve the GDPR standard of data protection, which this SI will do. To return to the point raised by the noble Lord, Lord Adonis—sorry, it might have been raised by the noble Baroness, Lady Kramer—the requirement to appoint one representative in the EEA is, as I said, a result of EU law.
I say again to the noble Lord, Lord Adonis, regarding the impact on business of Article 27, that we think that if controllers based abroad are routinely processing the data of people in the UK then it is right that they should be accountable and have a presence in the UK, because it is about trying to maintain the status quo as far as possible for individuals and not rolling back their data protection. The representative is a point of contact for the data subject as well as supervisory authorities such as the Information Commissioner.
I turn to the points made by the noble Lord, Lord McNally, about the complexity for organisations potentially subject to dual regulation. The point of this instrument was to ensure the minimum disruption to organisations and to data subjects by trying to retain the effect of the data protection legislation where possible. The relationship is absolutely changing but the instrument ensures that we can co-operate on an international level with not only the EU supervisory authorities but those in other countries; that is why we have kept Article 50 of the GDPR. Where he is right, and I accept that he is right in this, is that if we move away from the GDPR—if the UK GDPR moves away from the EU GDPR—that will have consequences for the adequacy decision that we hope to achieve, which will be reviewed by the EU Commission. It is important that the EU has confidence that our data protection regime is “essentially equivalent”, which is what the adequacy decision is based on. Anything that we do in future will have to bear in mind that our data regime is essentially equivalent so that it gives the EU confidence.
I agree with the noble Baroness, Lady Ludford, that in previous times there were elements that were outside EU competence that it could not look at, but now of course in an adequacy decision it will be able to look at those. Again, as it does in other adequacy decisions, it will look at the overall adequacy requirement and say whether or not it is essentially equivalent. That is why the adequacy decision is not immediate. Where we start in a good place compared to other regimes is that we have started with an equivalent regime to the extent that we have enacted the GDPR, which other third countries have not. We start on a level playing field in that respect.
The noble Baroness talked about the US privacy shield and the reason why we are going to lay another set of regulations. The discussions on the US privacy shield were ongoing when this SI was laid and therefore we could not wait. It was our priority to lay this SI so that we had an ongoing regime in the event of no deal. Now that that has been agreed between us and the US, though, another SI will be laid—it may even have been laid—to ensure that the US requirements continue, and I think that will happen very soon.
The noble Baroness asked about the EDPB’s recently published guidance on the implications of the UK’s exit. That guidance confirmed that, if the EU Commission does not make an adequacy decision in respect of the UK, EU firms will need to put in place alternative transfer mechanisms, such as standard contractual clauses to continue to transfer personal data to the UK.
The noble Baroness suggested that the political declaration only covered adequacy. That is not right: paragraph 9 addresses the free flow of data while paragraph 10 addresses regulatory co-operation.
The noble Lord, Lord Adonis, and the noble Baroness, Lady Ludford, talked about consultation. The difference between this SI and many others is that the Data Protection Act came into force less than a year ago; it was enacted after extensive discussions in this House and the other place, after the referendum discussion had taken place. Those noble Lords who participated in the Data Protection Act discussions, which lasted for many weeks, all know that matters such as data adequacy were raised numerous times. The whole purpose of the Act, and the mixture between regulations and derogations from regulations, was that we would be on as level a playing field as we could be when it came to getting an adequacy decision.
Forgive me, but I would like to follow up on that. I really think the Minister is overselling what is in paragraph 9 of the political declaration. Last June, the Government issued a technical note about wanting a legally binding data protection agreement, and I described that earlier as a “Brexit in name only” kind of arrangement. They wanted that because there are,
“benefits that a standard Adequacy Decision cannot provide”.
Except for one sentence in paragraph 10 that talks about arrangements for appropriate co-operation between regulators, paragraph 9 is about a standard adequacy decision—no less but certainly no more. It talks about the European Commission recognising,
“a third country’s data protection standards as providing an adequate level of protection”.
It is not what the Government hoped for last June. I do not understand why the Government are trying to pretend. We can all read paragraph 9 once we have googled it and reminded ourselves, so to say that it is more than an adequacy assessment process is simply not true.
I understand the point from the noble Lord, Lord McNally, that our new position will not be the same as being in the EU. If we were a third country, I would expect us to have less influence than if we were a member of the EU. I am not denying that; it seems obvious. He is absolutely right that the GDPR was influenced by the UK, not only by officials in the negotiations but specifically by the ICO, which is regarded as one of the leading regulators in Europe. Of course, it will not have the same position as it did if we are not in the EU; I take that point.
However, I do not base everything on just the political declaration, which may or may not have some influence. It is also that we have retained Article 50 of the GDPR. I cannot remember the exact words, but it is on the basis of that that the EU talks about international co-operation with third countries, so there is a mechanism. As I said to the noble Lord, Lord McNally, it will not be the same, but there are bases for international co-operation. The EU wants that to happen and understands that in things such as data protection, you have to have an international consensus. In fact, on that, it is more important to go beyond the EU and do it internationally. Other organisations should—and do—take views on this. I think we are at the start of the journey on control of cross-border data flows and it will provide a further basis to influence behaviour.
On adequacy, it is easy to ask for detailed timelines on when this will take place. It will not take place on exit day, because it is not possible for the EU to give an adequacy decision unless you are a third country. Preliminary discussions—which, as the noble Baroness, Lady Ludford, has indicated, may take some time—could begin now and we are ready to begin those discussions as soon as we can. We are already liaising with the European Commission—in fact, senior officials were in Brussels for talks last week—and we have liaised with member states on this subject. When the EU is ready to begin discussions, we are confident that we will be ready, but it is impossible to say how long that will take because, as the noble Baroness said, it is not a decision that is in our gift.
However, we start from a position of regulatory alignment on data protection. We implemented the GDPR and the law enforcement directive. We have also taken a GDPR approach on data protection to areas that were outside EU competence, such as law enforcement and national security, so we start in a very good position. In fact, it is such a good position that the UN special rapporteur on the right to privacy declared that the UK now co-leads in Europe and globally on privacy safeguards, and has made significant improvements in its oversight system since 2015. He said that,
“the UK has now equipped itself with a legal framework and significant resources designed to protect privacy without compromising security”.
It is important to note that there is a strong mutual interest in data adequacy.
The noble Lord, Lord Adonis, said that it is unsafe to pass this SI. I would like to point out what that would mean, if it is not passed and we have a no-deal exit. It would mean that we would cease to have properly functioning data protection law. The whole basis for adequacy decisions, which I think we all agree is very important, would go, because we would not be on a reciprocal basis—
There are mitigations which prevent that—standard contractual clauses and binding corporate rules. Plus, it depends a lot on the proportionate approach that the regulators in the EU take. There would be an impact; we would have to arrange mitigations, which would be a cost to business. That is what has been set out in the technical notice to business.
The Minister is making a very good case for why there should have been an impact assessment.
I am making a very good case for why we want a deal. As I have said several times, we want a deal.
I think I have been through most of the questions raised by noble Lords. The important thing about this statutory instrument is to have a fully functioning data protection regime. If we go back to the original reasons why we passed the Data Protection 2018 with a fair bit—a lot, I would say—of cross-party support, the reason that it is important is to give individuals protection for their personal data. We must bear that in mind. These regulations will preserve that protection for individuals and set us on the road to a successful conclusion of our adequacy agreement when we get to the stage where the EU will allow us to negotiate it. That is why I beg to move.
(5 years, 9 months ago)
Lords ChamberMy Lords, I think that there may be some misunderstanding about this. The Huffington Post commented on an SI that was laid which is a no-deal SI. The best way that noble Lords and Members of the other place can prevent these changes happening is to agree a deal. However, if there is no deal we have to face the inevitable consequences of that. A lot of the issues that have arisen not only with this subject but with other SIs stem from not distinguishing between the effect of the SI itself and the effect of leaving the EU. In this case, it is not fair to say that we have not prepared for that. In fact, the technical notice that outlined all these considerations was issued in September. It is not a question of simply withdrawing the instrument; if we are no longer in the EU, we will not be able to prevent EU operators increasing charges to UK operators. They will then have to accept those higher charges, which inevitably will be passed on to consumers. The issue is that if we leave the EU we will not be able to participate in the harmonised wholesale roaming prices, so I do not accept the analysis of the noble Baroness. That is why it is not possible to withdraw the SI, if we are acting responsibly in the event of no deal.
My Lords, the best way to avoid these changes is of course no Brexit. Surely the Minister will agree that the slashing of mobile roaming charges in the EU is one of the biggest successes for British consumers, travellers and businesses. British Ministers and MEPs played a big part in this triumph to stop rip-offs and nasty surprises on bills. Now the Government intend to steal this benefit from British citizens, even though they think it likely that costs will be passed on to consumers through the choice they have made. Why have the Government chosen—and it is a choice—not to impose a retail roaming price cap? Is this deregulation policy a foretaste of the Government’s intentions in other sectors? What estimate have the Government made of the total extra costs for a British holidaymaker arising from the reintroduction of roaming charges, the loss of the EHIC card, likely increases in the cost of travel insurance and EU fees for a visa-lite? Should the Government not put this choice back to the British people so that they can decide whether they want to Brexit at all?
I do agree with the noble Baroness on one thing: this has been a great benefit since it was introduced 18 months ago. Of course, it did not exist until then. When we decided to leave, there were inevitable consequences. What I do not understand from her question is how she thinks, within the powers available to the UK, we could do something different. If we set a retail price cap, UK operators will have to accept all the increased charges and as sure as anything, those will have to be passed on to all consumers. The difference is that she would penalise all consumers, while this measure affects only those who roam in the EU.
(6 years, 11 months ago)
Lords ChamberI thank the Minister for his response. I was glad that he addressed the question of an adequacy assessment at the end of his remarks, but with respect, it is not enough—or adequate—to address an adequacy assessment only at the point of asking for it. We must lay the foundations now. I cannot see the point in storing up potential problems when we could solve the problem of the basis. We ought to do everything in that prism. We can have delightful legal discussions—it is important to get the law right—but this is also crucial to business. We have had so many representations on that point. I am sure that the Minister’s colleague, the Secretary of State for Digital, Culture, Media and Sport, is preoccupied with this question. Surely we need to front-load our response? We cannot wait until the UK applies for an adequacy assessment to be told, “Well, it’s a pity that you didn’t enshrine the principles and the essence of article 8 of the charter”. We have a chance to do that now and ensure a solid platform for requesting an adequacy assessment. I admit that I am puzzled as to why the Government would not want to do that; it is important for law enforcement as well. Why would we not want to solve that problem now, instead of finding later that we have entirely predictable problems as a result of not doing so?
I completely agree with the noble Baroness. We have applied the GDPR principles to areas such as defence, national security and the intelligence services in different parts of the Bill so that when we seek an adequacy arrangement, we can say to the EU that we have arranged a comprehensive data protection regime that takes all the GDPR principles into account, including areas that are not subject to EU law. That is why, contrary to what we said in Committee, we have taken the arguments on board and tabled government Amendment 1 to provide reassurance on that exact point. We originally said that the rights under article 8 were contained in the Bill, but we are now putting further reassurance in the Bill. Other areas of the Bill, without direct effect, signpost how the Bill should be regarded.
The noble Baroness supports the amendment but would like, I think, to create a free-standing right. I have explained why we do not agree with that. Before Third Reading, we will try to seek a form of words in our amendment that provides more reassurance, so that when it comes to seeking an adequacy decision—we cannot do that until we leave the EU—there will be no doubt about what this regime provides. That would be the best way to do it, I think.