(6 years, 8 months ago)
Lords ChamberMy Lords, I have added my name to the amendments and agree entirely with what the noble Lord, Lord Stevenson, said. I do not intend to traverse the same ground as him and may not be quite as helpful to the Prime Minister as he has been.
I want to add a dimension on data protection from the perspective of someone who has been a Minister and a senior civil servant. It is very easy for even the most well-intentioned Minister to overlook the importance of data protection and privacy to some of our fellow citizens when we are trying to push through what is seen as a measure of great collective benefit. We have seen how easy it is for free-speech arguments to trump individual privacy considerations. In the rush to secure medical advances through research, it is easy to see people who are nervous of giving their medical history to a researcher they do not know as Luddites to be overruled. That is why the Data Protection Act 1998 was a landmark Act. It calls on bureaucracies to stop and think and to become more thoughtful about citizens’ rights to privacy and individual data protection. Since that Act, case law has extended those protections in many cases. We do not want any backsliding, and there are plenty of powerful interests who would backslide if these legal protections were diminished. It is for similar reasons that the successor to the 1998 Act needs to be fully protected following our departure from the EU, and that protection needs to be set out clearly in this Bill. This is even more the case given that the Government have set their face against protecting the transfer into UK law of the Charter of Fundamental Rights, which contains privacy provisions.
As I said on an earlier amendment on clinical trials, we need overtly to protect existing rights and provisions important to our fellow citizens from casual vandalism later. That means being sceptical about assurances from Ministers, even the Prime Minister, in relation to this Bill and relying on future actions to preserve safeguards. We have to put more guarantees in the Bill before it leaves this House, as I said on Amendment 84. I want before I sit down to draw the attention of those who were not present for the debate on that earlier amendment to two important points made respectively by the noble and learned Lords, Lord Judge and Lord Mackay. My noble and learned friend Lord Judge, as I understood him, ventured the view that the new EU regulations of concern under Amendment 84 could be added to Clause 7(7). That seems to give support to this amendment. If we went down that route, we would be doing exactly the same for data protection issues as for clinical trials. That suggests that there is scope in the Bill for specific EU regulations to be given particular protection where it is considered of such importance to the rights and safeguards of citizens.
Similarly, on the same amendment—I would need to read Hansard to check that I understood it correctly—the noble and learned Lord, Lord Mackay of Clashfern, made a contribution that was extremely helpful to the Minister, who, if I may put it delicately, was in a little trouble over that amendment. He suggested that, where there were new provisions and some ambiguity about whether the full protections would be safeguarded, it would be open to this House and the Government to consider putting a list of regulations requiring special protection in some form in this Bill.
If that course of action commended itself to the Government before Report, I would respectfully suggest that data protection should be on that list as something that will be given particular protection. I think there is a very strong case, as the noble Lord, Lord Stevenson, has argued very convincingly, to give some special protections in the Bill to data protection. Regardless of whether this amendment is precisely the right wording, or whether there is another way of doing it, I think that the noble Lord has made the case, just as I think that we made the case earlier this afternoon on clinical trials regulations. I think the Government need to think, in the way that the noble and learned Lord, Lord Mackay of Clashfern, was saying, about the kinds of issues that merit that kind of protection if we are to safeguard well-earned citizens’ rights and protections that have built up over time.
My Lords, it is a pleasure to follow the noble Lord, Lord Warner, and speak to Amendment 88 and the other amendments in this group. I very much support the words and the very comprehensive introduction that was given by the noble Lord, Lord Stevenson. It is vital to many key sectors—manufacturing, retail, health, information technology and financial services in particular—that the free flow of data between ourselves and the EU continues post Brexit with minimum disruption. With an increasingly digital economy, this is critical for international trade. TechUK, TheCityUK, the ABI, our own European Affairs Sub-Committee and the UK Information Commissioner herself have all persuasively argued that we need to ensure that our data protection legislation is treated as adequate for the purpose of permitting cross-border data flow into and out of the EU, post Brexit.
Fears were expressed in Committee and eventually the Data Protection Bill was amended on Report and at Third Reading to show that some principles, at least, were incorporated in the Bill, despite the fact that the European Charter of Fundamental Rights will not become part of UK law as part of the replication process in this Bill. The noble Lord, Lord Stevenson, quoted the Prime Minister’s recent Mansion House speech, a speech that I am sure will be quoted many times, when she said that,
“we will need an arrangement for data protection. I made this point in Munich in relation to our security relationship. But the free flow of data is also critical for both sides in any modern trading relationship too. The UK has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals to achieve our aims in maintaining and developing the UK’s strong trading and economic links with the EU. That is why”—
this is exactly what the noble Lord, Lord Stevenson, said—
“we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office”.
Whether or not something more than adequacy will be available—the noble Lord, Lord Stevenson, also dealt with this—depends on the EU, which states quite clearly, in paragraph 11 of its recent draft negotiating guidelines:
“In the light of the importance of data flows in several components of the future relationships, personal data protection should be governed by Union rules on adequacy with a view to ensuring a level of protection essentially equivalent to that of the Union”.
I have slightly more extensively quoted paragraph 11 of the recent guidelines, but the difference between those two statements is notable. Both the statements recognise the fact, as many of us emphasised in this House during the passage of the Data Protection Bill, that the alignment of our data protection with the EU is an intensely important issue. There will be a spotlight on the question of whether we meet an adequacy assessment by the European Commission, which I think we all agree is necessary and essential.
As I said on Report and at Third Reading of the Data Protection Bill, the Government added a new clause designed to meet the adequacy test in future, yet this Bill also gives Ministers power to make secondary legislation to amend any retained EU law, which would include laws governing data protection rights. So the Government could give with one hand and take away with the other. This amendment, as the noble Lord, Lord Stevenson, emphasised, is exactly designed to avoid a situation where our data protection law does not meet the adequacy test, to the great disadvantage of our digital economy and other sectors. Set against this danger, it cannot be necessary or desirable to exercise any of the powers in Clauses 7, 8 and 9 to repeal any part of our data protection legislation, which we have so carefully crafted and adopted. These are probing amendments but I certainly hope the Minister can give us the necessary assurance to make sure that such amendments do not reappear on Report.
My Lords, I thank the noble Lord, Lord Stevenson, for bringing before us what are undoubtedly very important issues. I am grateful to the noble Lords, Lord Warner and Lord Clement-Jones, for their contributions. I say by way of preface that the general data protection regulation comes into force on 25 May this year. Noble Lords will be aware that there is, as the noble Lord, Lord Stevenson, referred to, a Data Protection Bill currently before Parliament which fully implements the current EU framework, including the GDPR. We would not have chosen to legislate in this way if we were not committed to that EU framework. To be fair, the noble Lord, Lord Stevenson, was gracious enough to acknowledge that. I also say that to seek to reassure the noble Lord, Lord Warner. Let me try to help a little further.
As the Prime Minister has set out, the Data Protection Bill will ensure that we are aligned with the EU framework, but we want to go further than that and further than the typical adequacy agreement—I think that this was the concern of the noble Lord, Lord Stevenson. We want to seek a bespoke arrangement to reflect the UK’s exceptionally high standards of data protection. To reassure the noble Lord, Lord Clement-Jones, this would include an ongoing role for the UK’s Information Commissioner’s Office and effective representation for UK businesses under the EU’s new one-stop shop mechanism for resolving data protection disputes.
Even with that background and that backdrop it is nevertheless crucial that we have powers to correct any deficiencies that arise as a result of the current text of the GDPR being retained in the UK, post exit, word for word. For example, at its simplest we will need to replace references to “Union law” and “member states” with references to “UK law” and “the UK” respectively. We will also need to replace specific articles that do not make sense in a UK-only context; for example, article 3 on territorial scope. These are, of course, exactly the same kinds of changes that will need to be made to a wide range of EU-derived legislation to ensure a smooth exit. Where I slightly differ from the noble Lord, Lord Stevenson, is that while data protection is extremely important, there is nothing particularly special about data protection in this regard.
The difficulty about the amendments tabled—we have to be quite clear about this—is that they would remove the powers that allow the Government to remedy these deficiencies or make any other adjustments to the GDPR to ensure we have complied with our international obligations or implemented the withdrawal agreement. Alarmingly, this would damage the integrity of our regime and put at risk the data flows between the UK and the EU, which are crucial, I think we all agree, for our shared economic prosperity and wider co-operation, including on law enforcement. It is essential that we have the powers to ensure that the UK legislation framework remains functional after our exit. Of course, I accept that exactly how the powers in Clauses 7 to 9 will be used in relation to data protection depends on the outcome of negotiations, but I hope it is helpful to noble Lords to have the illustrative examples I have provided on the record.
I hope I have reassured noble Lords of our commitment to both data protection and the flow of data between the UK and the EU and in these circumstances I urge them not to press their amendments.
My Lords, since we are in Committee I have a question for the Minister. She has said that there may be some need to slightly alter data protection legislation, but this is very broad. Surely, there is scope for a much narrower formulation, so that those adjustments could be made without any radical changes to our current data protection law.