Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 Debate
Full Debate: Read Full DebateLord McNally
Main Page: Lord McNally (Liberal Democrat - Life peer)Department Debates - View all Lord McNally's debates with the Department for Digital, Culture, Media & Sport
(5 years, 10 months ago)
Lords ChamberIf they fulfil those conditions that I mentioned, the answer is yes.
I would like to touch on what our exit from the EU might mean for the applied GDPR, as provided for by Chapter 3 of Part 2 of the Data Protection Act 2018. Noble Lords will recall that we created a separate regime which provides for broadly equivalent standards to the GDPR to apply to processing activities that are outside the scope of EU law and covered by neither Part 3 nor 4 of the Act, which deal with processing by law enforcement and intelligence services respectively. This regime currently applies, for example, where a controller other than the intelligence services is processing for national security or defence purposes.
As the EU GDPR will not, as a matter of domestic law, apply directly to any general processing activities when we leave the EU, these regulations are intended to simplify matters by providing for a single regime for all general processing activities. Those provisions in the 2018 Act that provide for the applied GDPR, together with other references to the applied GDPR in legislation, are removed. Importantly, the provisions in the applied GDPR which currently provide exemptions from specified provisions where these are required for the purposes of safeguarding national security or for defence purposes have been retained in the merged regime. These exemptions balance the need to protect personal data against ensuring that the UK’s security and intelligence community can continue to carry out its vital work to safeguard national security. I should emphasise that the merger does not itself alter the purview of EU law so where aspects of domestic data protection law were outside EU competence before exit day, this will not change as a result of this instrument. We have included provisions in the regulations to make that point clear.
I believe that the approach the Government are taking is an appropriate way of addressing the deficiencies in domestic data protection laws resulting from the UK leaving the EU. The aim of these regulations is to ensure continuity for data subjects, controllers and processors by maintaining the same data protection standards that currently exist under the GDPR and the Data Protection Act 2018.
My remarks have focused on the changes made to the GDPR and the Data Protection Act because they are the most significant. For completeness, I should add that the regulations make a number of minor amendments to other legislation, consequential on the amendments we are making to the UK GDPR and Data Protection Act 2018. For example, they amend references to the “GDPR” in other legislation to refer to the “UK GDPR”.
They also address a small number of non-exit-related issues. They clarify that the GDPR definition of consent applies for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and address two minor drafting issues that were identified in Schedule 19 to the Data Protection Act 2018, shortly before it received Royal Assent. I commend these regulations to the House
My Lords, I am not sure the Minister is going to have quite the easy ride he had with the first statutory instrument. My eye was caught by a very detailed briefing by the law firm Fieldfisher on the consequences of this SI. It was the final paragraph that caught my eye. It says:
“From a broader perspective, the creation of a new data protection regime in the UK may present additional complexities for controllers and processors who are caught by both European and UK law and will therefore need to comply with both the GDPR and (in relation to UK customer data) something that looks like the GDPR but which may start to move away from it as time goes on”.
Those last words are ominous. There is no doubt that the GDPR was a great success for European co-operation. The noble Baroness, Lady O’Neill, reminded us earlier of the wide range of issues that we will have to take into account in protecting our democracy from data abuses. There are similar dangers in the protection of our commercial and business life. The value of the GDPR is that it gives us a strength of certainty of European legislation.
I will delay the House a little with a reminiscence. Between 2010 and 2013 I was the Minister at the Ministry of Justice responsible for the earlier negotiations on GDPR. I went to a meeting in Lithuania and throughout the day I noticed that there was one person sat at the table who never participated, voted or said anything. At the end I turned to the British ambassador and asked, “Who is the guy at the end of the table—he has not said anything?” “That is the Norwegian,” he said. “He can come and listen, but can’t vote and he is not involved our decisions.”
I often think of that when I hear people banging on about sovereignty. Sovereignty was best exercised by British Ministers at the table briefed, I have to say, by officials who were the people to go to. I will not name any particular official, but there was one man to go to as GDPR clunked its way through the machinery. There were “light touchers” and those who had quite recently experienced a Stasi or state abuse of personal data and privacy, and balancing the requirements of GDPR was part of the diplomacy our officials showed. I was also greatly assisted by our parliamentarians in the European Parliament: my noble friend Lady Ludford was very influential in steering the GDPR through some choppy waters.
The noble Lord, Lord Forsyth, who is not in his place, said a few weeks ago in one of our Brexit debates that the first time he went as a Minister to Brussels he felt resentment and animosity that he was being, as it were, dictated to by these foreigners. I do not think that I am being too misleading in saying that; I am sure that he will correct me later if I am wrong. He certainly did not feel at home there.
Just to be clear, I did not say anything about the speed with which the European Commission would provide its decision.
Oh, dearie me. It is always the EU’s fault that we have got ourselves on this particular window ledge.
I am not blaming anyone, but an EU adequacy decision can be given only by the European Commission. It is not a question of blame; it is just a fact.
I will close with another one where I am sure that the Minister is not going to blame the European Commission but say that it is its responsibility. During the period that I am talking about, the stature and influence of our then Information Commissioner had a major impact on how we put the GDPR in place. Again, the Minister was unable to give us any real reassurances about whether we will be at the table in co-operation, or whether it is these difficult foreigners who are going to stop us doing that.
I am sorry, I cannot let that pass. I never said anything about difficult foreigners.
The Minister never said anything about difficult foreigners, but there has always been the impression that this would all be as smooth as smooth. “Do they not understand that we are trying to be helpful?”, we ask, when we have caused Europe so much disruption and cost by this act. In this case, it is essential that we are part of the ongoing dialogue. This GDPR is not the end of the process. As the House was discussing last week, these European laws are going to develop. How we then act and deal with them is going to affect where jurisdiction lies—with European or British courts.
The noble Lord has raised a litany of concerns about the GDPR regime after Brexit and cited a number of people who briefed him about it, including QCs and Members of the European Parliament. However, he will have noticed that there has been no public consultation at all on these regulations. There has been no opportunity for people directly affected to publicly brief us. Does he share my concern about that? Would he like to comment on the process of public consultation on these regulations?
It is, of course, a farce. These regulations are all being rushed through at the last minute and we know that we have to put them in place as the cliff edge approaches.
I do not want to be rude to Fieldfisher, because it provided some excellent briefing but, my God, the lawyers must be rubbing their hands at the cornucopia that is going to be tipped out to them as companies and individuals try to make sense of the reality. Whether we get a deal, or fall out, it will be a jagged, uncertain, unclear leaving.
Does the noble Lord accept just how unclear and what a complete pig’s breakfast the thing is already? I do not think you could make it worse. I have to deal with this on a day-to-day basis. It is a complete and utter mess and no lawyer can even give you a definitive opinion.
My Lords, I was planning a peroration, but I think I will leave it at that.
My Lords, first I have a couple of housekeeping questions which I hope are not too banal. I find considerable difficulty using the legislation.gov.uk website and its search function. Will the Minister ask his civil servants to check it out? Even if you search for “data protection 2019” under UK SIs, both the previous one and this are difficult to find. There was a 19 December version of these regulations, which were replaced in January. I must admit that I have not pored over every line of both to find the differences. Will the Minister explain why that was necessary?
Secondly, I want to ask about the absence of an impact assessment. Paragraph 12 of the Explanatory Memorandum states that:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”.
The pretext is that, while the Government recognise that:
“Data flows from the EEA to the UK may be restricted post-exit”—
because, if there is no deal, we will be plunged into a situation where there is no legal framework and no adequacy decision—
“that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
That is the justification for having no impact assessment. However, if we left with a withdrawal deal and a transition there would be a legal framework, so this instrument, which provides for both a no-deal scenario and one in which there would be no adequacy decision, surely merits an impact assessment as well as the consultation to which the noble Lord, Lord Adonis, referred.
As the ICO has made clear, and as has been mentioned already, businesses may have to deal both with the ICO and with European data protection authorities in every EU and EEA state where they have customers. They may need a European representative if they process the data of people resident in the EEA or have customers in the EEA. There would be additional complexity if they had to comply with both the GDPR and the UK GDPR. They could face concurrent legal claims in both the UK and the EEA. Will the Minister amplify the justification for having no impact assessment? Data flows are crucial to many businesses, not just the tech industry—there is hardly a business or other organisation that they do not affect—so the rather blasé claim that no impact assessment is needed is not justified.
I am a bit confused—it may just be my lack of understanding—about the situation regarding EU adequacy decisions on third countries. Paragraph 2.8 of the Explanatory Memorandum says there will be,
“incorporated into UK domestic law … EU decisions on the adequacy of third countries and on standard contractual clauses, both of which are relevant for … international transfers”.
Paragraph 2.13 says:
“It will not be necessary to retain the EU decisions on adequacy and standard contractual clauses … so these are revoked by this instrument”.
If I have understood the Minister’s presentation, this is explained by the fact that we are recognising and incorporating past EU adequacy decisions, but that in the future, in a no-deal scenario, the UK will take over that function: I venture to suggest that that is not very clearly explained in the Explanatory Memorandum.
My Lords, the noble Baroness, Lady Ludford, has raised some important points. It is totally unjustifiable that there is no impact assessment for this regulation; I hope that the Minister will address and explain that. The noble Baroness also made an important point about the way that data adequacy will be assessed if we are outside the EU, particularly in a no-deal scenario.
I will extend that to cover my perennial theme of consultation. No issue affects businesses and individuals across the country more than data. Indeed, we went through the whole GDPR exercise precisely because this is so central to our individual and community life. The fact that there has been no consultation at all on this regulation seems truly indefensible, so I hope that the Minister will say why that has been the case. The noble Lord, Lord McNally, said that data is now the new oil. He is absolutely right; it is as important to the functioning of our economy and our society as energy—it is a form of energy—and there clearly should have been consultation. Can the Minister say why there was no consultation? I assume that he will tell us again that there was no time, which begs the question of why we are going through this no-deal process at all if there is not time to conduct the normal processes of government in respect of it.
As ever, there is a bizarre twist to the statement on consultation. Paragraph 10 of the Explanatory Memorandum states:
“The government has not consulted publicly on this instrument”.
I presume that that means that they have consulted privately, and the House needs to know who has been consulted privately. The only body mentioned in paragraph 10 is the Information Commissioner’s Office, with which, it states, the regulation has been developed in consultation. Who else has been consulted privately and what were the selection criteria? Since the regulation was published, there have been representations. What representations have been made to the Minister’s department and what was their content?
The noble Baroness, Lady Ludford, also raised the issue of trying to assess the impact. Again we have doublespeak in respect of the regulations. We are told that their literal interpretation means that there is no further impact over and above the operation of existing European law. However, that is after, in the words of the White Queen in Alice in Wonderland, you have believed six impossible things before breakfast. Paragraph 12, entitled, “Impact”, states:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”,
but concludes:
“Data flows from the EEA to the UK may be restricted post-exit, but that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
It is impossible to separate the instrument from the fact that we are leaving the EU. The noble Baroness put her finger on a very important point, which is that if we leave the EU with a deal on the basis recommended by the Prime Minister, the impact might be radically different from that envisaged under the instrument, for two reasons. First, there will be a transition period in which nothing changes but, secondly, the political declaration heralds negotiations on a whole set of issues, including trade and data flows, which might well lead to our continuing in the existing GDPR regime. So the last sentence of paragraph 12 is not true. It is not true to say that the issue of data flows and the regulation of data is dependent on the UK leaving the EU, not as a result of the instrument. There is a crucial difference between leaving the EU with a deal—in particular, with a deal that maintains the status quo—and without a deal.
When the noble Lord, Lord McNally, cited one of his expensive lawyers, who had suggested that there may be additional complexity—
I was not suggesting that they were his personal expensive lawyers, just expensive lawyers who have chosen to brief him; I know that he could not possibly afford expensive lawyers. When he said that it depends on what happens as time goes on, he put his finger on a very important point. The whole point of no deal, with a separate regime under our ICO, is that we could quite quickly find ourselves diverging, and as we diverge, that will quickly impose burdens over and above those that would apply even if we left the EU with a deal.
I am also not sure it is true to say that there would be no burdens as a result of the regulations even at the outset. I am a lay man in this business, and trying to understand what is going on is very difficult, particularly because there has been no consultation and we do not have the opportunity to assess what people who are expert and directly affected have said. The reason I intervened on the Minister in his opening remarks is that, having been a company director who has had to deal with the implementation of the GDPR, I know that having a representative dealing with data matters inside the EEA is very important. Many companies have offshored a lot of their data-control activities, and the requirement of the GDPR that they must have a representative inside the EEA—which I think is the correct thing to do—is a definite burden. It means that companies not only have to employ additional individuals but have to set up additional offices, in essence, to cope with those flows in many cases, particularly if they are dealing with significant data-handling exercises which are outside the EEA at the moment. This happens all the time with call centres in India; many companies are in this territory.
My understanding of what the Minister said in our earlier exchange is that if we leave with no deal and therefore must set up our own UK data-monitoring regime immediately, there will be a requirement for every company operating outside the EEA—which must, under the GDPR, have a representative inside the EEA—to have a representative in the United Kingdom. I would be grateful if the Minister could confirm that because if it is true, that is an immediate and potentially significant burden.
The other important point is that people need to understand that these arrangements are reciprocal. One reason why we as a country have such a good services industry is that a lot of companies based in the UK do substantial business in the EEA and beyond. That is great. My assumption, although it is not spelled out in the Explanatory Memorandum, is that in a no-deal scenario, data controllers who are based in the UK but do substantial business in the EEA will be required by the European Union to have representatives in the European Union over and above their data controllers in the UK; these are not currently needed. I would be grateful if the Minister could address that point. This flows logically from the new regime being set up. I would be astonished if that is not the case because I do not think that the European Union would regard having a data controller in the United Kingdom as meeting its standards of data adequacy. I would be grateful if the Minister could confirm that.
On that point, it is apparent that this immediately imposes a burden, potentially a significant one, on every company that handles data in the European Union or the EEA, as opposed to just in the UK. That represents a substantial proportion of our companies. If we had had an impact assessment, as the noble Baroness, Lady Ludford, suggested, this issue would have been brought out and we would know its effect. If there had been public consultation, we would know, but there has been none—and we have had no impact assessment. To my surprise, the Select Committees of this House that oversee instruments and put them to us have not raised these issues, which seem substantial and should have been raised before these instruments came to this House.
I have to say that this for me is a black box. Because of my other duties I have not been able to spend time analysing what is going on in Sub-Committees A and B, but this is very important because hundreds of these instruments are coming to us.
I turn to the issue of there being no consultation, which my noble friend Lord Rooker referred to. I have been going on about it for weeks. This has been true of every single no-deal instrument that has come to your Lordships. It is deeply and profoundly unsatisfactory. In my view this ought to have been flagged up for each of these instruments from the beginning and ought to have been a reason for them not to come before the House. How can we possibly conduct the proper business of the nation in terms of changing the law when we do not have any public consultation with any of the sectors that are affected by these instruments? We are dependent on the expensive lawyers of the noble Lord, Lord McNally, even to spell out the most basic features of these regulations—which, first, will not be apparent to those of us who are lay people and, secondly, which those people who are affected have had no opportunity to present except through the agency of expensive lawyers who seek to make a living. Of course, the expensive lawyers referred to by the noble Lord, Lord McNally, will now advertise their wares to companies, telling them what the impact of these things is going to be because they did not have a chance to engage with them earlier and make their views known, particularly if they start being adversely affected.
My Lords, I never described them as expensive lawyers—otherwise they might never write to me again. I said that they were distinguished lawyers.
My Lords, I do not think that it is possible for my blood pressure to be higher on these matters. However, I hope that the blood pressure of the House is high, because we are supposed to be legislating on behalf of the country, and the proceedings of your Lordships in respect of these no-deal statutory instruments are an absolute farce. I do not think that the procedures of the House are working well. The fact is that the two chairs of our relevant sub-committees cannot even agree on a letter to send to the Treasury in respect of the handling of consultation. The fact that it is about six months after we started getting the initial flow of statutory instruments on this matter coming to the House is in itself deeply unsatisfactory and is not a good commentary on the way our parliamentary proceedings are working. Moreover, the fact is that what we get are bromides from the Government that there is no change, based on there being no impact assessments, no consultation and a complete misreading of what the situation is in any event, because it involves a denial of all of the negative consequences that will flow from leaving the European Union, which of course is the underlying fact that they should be grappling with in the first place when conducting consultations and impact assessments. It is deeply unsatisfactory.
The right thing for this House to do would be to reject these instruments. We should not be a party to such an abuse of our constitutional procedures as is taking place with these no-deal instruments. What we will be faced with, though—I feel this pressure myself—is that we could crash out of the European Union in an unconscionable act of misgovernment in the course of five weeks’ time, so we have to do our level best to ensure at least that there is a statute book in place for that eventuality. But I and other noble Lords want to put on the record that the situation we are faced with, and which gets worse with every debate that flushes out more facts about what is actually happening, is a complete abuse of our constitutional procedures.
That last point is very important. Somebody pointed out the other day that one day there will be a full judicial inquiry into how this process has been carried through. Ministers and civil servants should be aware that one day there will be accountability for the way this has been done.
The noble Lord is right, but I do not think that that day is far off; I think it will come soon. Let us be clear: we are not talking about a natural disaster. As a Minister, I often had to deal with those. When there are ash clouds and volcanoes erupt, you have to take very difficult and extreme decisions at short notice. Here we are talking about an act which the Government are inflicting on the country, with no external agency whatever. Not only that, but the Government could this afternoon terminate the situation we are faced with, in respect of these no-deal regulations, by the Prime Minister announcing that she is not proceeding with no deal and that she will, on behalf of the United Kingdom, submit a request to extend Article 50—or, as we now know she can do from the judgments of the European court, rescind it unilaterally. This will be a big matter for the public inquiry that the noble Lord, Lord McNally, is referring to. All the consequences of this no-deal situation are caused by the Government, and the remedy for them is entirely at the disposal of the Government. It is our absolute duty to point this out all the way through this process, so that at least some of us in the parliamentary system can point to the fact that we did our level best not to take the nation to the edge of the cliff where we are now at.
Coming back to this instrument, it is totally unacceptable that we are dealing with such an important set of regulations relating to the fundamental issue of data and data protection and there has been neither an impact assessment nor any public consultation.
I withdraw the word “farce”. However, while the Minister is putting great emphasis on the good fit between what he is proposing and the GDPR, the reason why that good fit exists, as I said in my remarks, is that the GDPR itself was massively influenced by British officials, who played a major role in its construction. What he is gliding over in his assurances is that if, as is likely, there are changes in the European GDPR in future then we will be coming, like the Norwegians, only to listen and accept—because, make no mistake, if there are changes in future, it will be massively in Britain’s interest to accept them. This is the loss of sovereignty that the whole process is trying to glide over. We will not have the same influence on data protection in future as we have had in the GDPR itself, which is why the fit is so comfortable at the moment.
Forgive me, but I would like to follow up on that. I really think the Minister is overselling what is in paragraph 9 of the political declaration. Last June, the Government issued a technical note about wanting a legally binding data protection agreement, and I described that earlier as a “Brexit in name only” kind of arrangement. They wanted that because there are,
“benefits that a standard Adequacy Decision cannot provide”.
Except for one sentence in paragraph 10 that talks about arrangements for appropriate co-operation between regulators, paragraph 9 is about a standard adequacy decision—no less but certainly no more. It talks about the European Commission recognising,
“a third country’s data protection standards as providing an adequate level of protection”.
It is not what the Government hoped for last June. I do not understand why the Government are trying to pretend. We can all read paragraph 9 once we have googled it and reminded ourselves, so to say that it is more than an adequacy assessment process is simply not true.