Leaving the EU: Data Protection

Alex Sobel Excerpts
Thursday 12th October 2017

(7 years, 1 month ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Alex Sobel Portrait Alex Sobel (Leeds North West) (Lab/Co-op)
- Hansard - -

I congratulate my hon. Friend the Member for Warwick and Leamington (Matt Western) on his maiden speech, which reminded me of a happy childhood visit to Warwick castle. I am sure that he will make fantastic contributions to the House in the future.

The transfer of data is critical for the functioning of our economy. The proper management and control of data is increasingly a matter of civil liberties. Roughly 70% of the UK’s trade in services is reliant on the free flow of personal data. The EU’s data economy is expected to be worth £643 billion by 2020 and millions of UK citizens share their lives online. To be able to operate, UK businesses require clarity on the legal basis for data transfer post Brexit.

As the Minister asserted, the Government’s future partnership paper presents the adequacy model as the basis for a future UK-EU agreement on exchanging and protecting personal data. As my hon. Friend the Member for Cambridge (Daniel Zeichner) said, the alternatives—making use of binding corporate rules or standard contractual clauses—would be burdensome, costly and create considerable uncertainty for individuals and businesses. Given that a post-Brexit UK will find itself in a position of unprecedented alignment with existing EU laws and norms, it does appear that an adequacy agreement is the most sensible way forward. The UK—it is hoped—will be designated by the European Commission as providing adequate protection for personal data, and it will be business as usual.

As the House of Lords European Union Committee has made clear, however, even if the UK positioned itself in perfect alignment with EU rules as it exits, it is very likely that the EU will amend or reform its data law in the near future, thus threatening the UK’s adequacy status. Divergence between the EU and a post-Brexit UK may come sooner rather than later.

In 2009, the EU’s charter of fundamental rights became legally binding. The charter codified existing EU rights and principles and is now the source document for EU fundamental rights. Article 8 of the CFR covers the protections of personal data—the right to privacy and the right to data protection that serve as the foundation for the EU’s data protection law. The European Union’s general data protection regulation, which will apply in the UK from May 2018, creates and enhances data protections and rights for EU citizens in continuity with the principles of article 8 and the CFR more generally.

Much is made of the EU’s novel right to be forgotten, but the GDPR also speaks to the issue of algorithmic decision making and processes that significantly affect users every moment of the day for most of our citizens—the Minister is probably being affected right now, as he is on his phone. It also creates a right to explanation whereby individuals can ask for details on how decisions about them were made—for example, on access to credit. As such, the GDPR creates a requirement on those designing algorithms and evaluation frameworks to avoid prejudicial decision making and to enable easy explanations for users.

Those rights and norms are at the cutting edge of global data protections law and are essential for our tech industry in the UK. They are possible because the EU is developing its data protection laws in accordance with the principles expressed in the charter of fundamental rights. However, the Government have made it clear that the charter will not form part of domestic law on or after exit day. As such, significant divergence from EU data protection norms may begin sooner than expected, putting our tech industry in incredible jeopardy.

Once the UK has surrendered its place at the EU’s decision-making table, as is the Government’s intention, our ability to exert influence on the future of EU data law will be greatly diminished. Not only are we presented with yet another possibility of the UK being demoted from rule maker to rule taker, but the constant anxiety that the UK may fall out of compliance with EU data laws is deeply unhelpful to individuals and UK businesses of whatever magnitude. If compliance with the charter of fundamental rights is required in practice to secure regulatory harmony and thus business confidence, the Government’s commitment to jettisoning the charter appears increasingly odd.

Securing the free flow of data, especially for an economy such as ours that is largely service-based, should be a pressing imperative for the Government. Ensuring that individuals are protected by rigorous data protection laws should be a top priority for the Government. I think it prudent therefore that the Government look again at their intention to bin the charter of fundamental rights as part of their EU withdrawal plans.