Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 Debate
Full Debate: Read Full DebateBaroness Barran
Main Page: Baroness Barran (Conservative - Life peer)Department Debates - View all Baroness Barran's debates with the Department for Digital, Culture, Media & Sport
(3 years, 11 months ago)
Grand CommitteeThat the Grand Committee do consider the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.
Relevant document: 32nd Report from the Secondary Legislation Scrutiny Committee
My Lords, I am pleased to introduce a statutory instrument laid before the House on 14 October. Neither the Joint Committee on Statutory Instruments nor the Secondary Legislation Scrutiny Committee has drawn the House’s attention to this instrument.
When the transition period comes to an end, the EU’s regulation on data protection, known as the GDPR, will be retained in domestic law through the European Union (Withdrawal) Act 2018. Last year, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made. I will refer to those regulations as the main regulations. They were made to make minor and technical changes to the retained GDPR and the Data Protection Act 2018 to ensure that UK data protection law continued to be operable on exit day.
The instrument before noble Lords seeks to make some limited amendments to the main regulations, most of which address the fact that there has been a transition period. The majority of the changes are to references to “exit day” in the main regulations, which will be updated to read “IP completion day”. A small number of other changes relate to the transitional provisions for international transfers of personal data.
Binding corporate rules approved by EU data protection regulators enable multinational companies to transfer personal data within their group globally. The main regulations preserve pre-GDPR binding corporate rules that had previously been authorised by the Information Commissioner as a valid transfer mechanism after the transition period. However, a subset of pre-GDPR binding corporate rules currently relied on by organisations with data flows in the UK may have received authorisation from only EU supervisory authorities. This instrument makes provisions that will allow UK-based group members to use such rules as a valid transfer mechanism, if they obtain approval from the Information Commissioner within six months from the end of the transition period.
UK organisations can currently freely transfer personal data to EU and EEA states, and non-EEA countries for which the EU Commission has made adequacy decisions. The main regulations continue this position on a transitional basis and list the relevant adequacy decisions for clarity. This instrument updates the list to reflect developments since the main regulations were made by adding the 2019 adequacy decision for Japan and removing the reference to the EU’s adequacy decision for the US privacy shield. These amendments are not substantive and are entirely in keeping with the original intention of the main regulations, namely the continued free flow of personal data between the UK and third countries that have already been found to meet the requisite standards for data protection.
The main regulations also provided a legal basis for the continued free flow of personal data from the UK to the EU falling within scope of the law enforcement directive, otherwise known as the LED. The approach adopted in the main regulations was to transitionally deem EU member states and Gibraltar as adequate.
Since the main regulations were made, the Home Office has established that the EEA states, Norway, Iceland and Liechtenstein, and Switzerland, have also transposed the LED into their domestic law, which enables data sharing between authorities in the UK and law enforcement agencies within these countries for law enforcement purposes. To enable law enforcement co-operation and data sharing between the UK and EEA states and Switzerland to continue as it does now following the end of the transition period, this instrument adds them to the list of countries that will be treated as adequate, on a transitional basis, under Part 3 of the Data Protection Act 2018. This will be the most efficient way to ensure the flow of personal data, which is fundamental for law enforcement co-operation.
In 2019, an additional statutory instrument was made to amend the main regulations to reflect the arrangements made for personal data transferred from the UK to privacy shield companies in the US. As this adequacy decision has now been invalidated by the CJEU, the amending regulation no longer has any practical effect. Therefore, Regulation 7 revokes that amending regulation before it comes into force.
I have set out why our approach is an appropriate way to address deficiencies in our data protection regime resulting from the UK leaving the EU at the end of the transition period. This instrument will also revoke some EU legislation that would have no practical effect if it were to be retained under the European Union (Withdrawal) Act 2018 at the end of the transition period, such as Council decision 2004/644/EC, which adopts implementing rules of the European Parliament and European Council on the protection of individuals with regard to the processing of personal data by the community institutions and bodies and on the free movement of such data. This retained version of this decision will have no practical effect, so we are revoking it to keep the UK statute book tidy. I beg to move.
I am grateful to all noble Lords for their consideration of this instrument and their thoughtful contributions to this debate. The noble Lord, Lord McNally, pointed out the level of expertise around our virtual and physical Chamber. That is no novelty in this House, although having such a number of previous Ministers from DCMS here today feels like a particular form of pressure.
My noble friend Lady Neville-Rolfe and the noble Lord, Lord McNally, focused on the importance of achieving a data adequacy agreement with the EU. Doing this remains a priority of this Government. We are working constructively with the Commission to secure data adequacy by the end of the transition period and are making steady progress. We see no reason why we should not be awarded adequacy since we remain committed to high standards, but the process is controlled by the Commission and we are realistic about the increasingly challenging timelines for completing this.
To respond to my noble friend Lady Neville-Rolfe’s questions about preparation, the UK is taking sensible steps to prepare for a situation where adequacy decisions are not in place by the end of the transition period. In such a scenario, businesses and other organisations would be able to use alternative legal mechanisms to continue to transfer personal data—of course, standard contractual clauses are the most common legal safeguard and would be the relevant mitigation for most organisations.
Guidance can be found on both the GOV.UK website and the Information Commissioner’s website regarding steps that organisations may be required to take relating to data protection and data flows by the end of the transition period. Organisations can also call the Information Commissioner’s helpline for further information.
The noble Lords, Lord McNally and Lord Stevenson, talked about the rollover of Japan’s adequacy decision. Specific UK arrangements have now been confirmed regarding the recent EU adequacy decision for Japan. This secures the necessary protections for UK data as well as EU data, so that data that flows from the UK to Japan will continue to receive the same level of protection after the transition period as they currently do.
More broadly, in relation to the Japan free trade agreement—which was raised, again, by the noble Lords, Lord McNally and Lord Stevenson, as well as the noble Lord, Lord Wallace of Saltaire—the UK-Japan FTA includes three provisions that seek to enhance cross-border data transfer relating to personal information protection, cross-border flows and data localisation. The data provisions the UK has negotiated with Japan exceed those agreed previously in the EU-Japan economic partnership agreement, which contains merely a review clause, and will enter into force on 1 January 2021. The agreement recognises the importance of protecting personal data and commits both parties to maintaining a legal framework that provides for the protection of personal information.
I fear that I may disappoint the noble Baroness, Lady Fox, in her wish to see an end to the GDPR. The GDPR will be retained in domestic law at the end of the transition period, but we will have the independence to keep the framework under review. As with all policy areas, the UK will control our own laws and regulations in line with our interests as we move forward.
The noble Lord, Lord Wallace of Saltaire, questioned the impact on our data protection standards in relation to our trading relationship with the US. We know that, far from being a barrier to innovative trade, certainty and high data protection standards allow businesses and consumers to thrive. As all noble Lords have remarked, data is now the driving force of the world’s modern economies and fuels innovation across all sectors.
I thank my noble friend Lord Vaizey for his kind remarks about our new National Data Strategy. Sadly, I missed his maiden speech, so I am glad to have had the chance of a second session. The National Data Strategy is ambitious and pro-growth. We seek to ensure that people, businesses and organisations trust the data ecosystem, that they are sufficiently skilled to operate within it, and that they have access to high-quality data, as well as to provide the coherence and impetus for data-led work across government.
A number of noble Lords, including my noble friend Lady Neville-Rolfe and the noble Lord, Lord Stevenson, referred to the Schrems II decision. The UK Government are pleased that standard contractual clauses remain in place as an important mechanism for transferring data internationally, but we are disappointed that the EU’s adequacy decision on the US Privacy Shield has been invalidated by the CJEU in its judgment of 16 July. The Government are working with the Information Commissioner to address the impacts of the judgment on UK data controllers.
During the transition period, this includes the ICO supplementing the guidance provided by the European Data Protection Board and the European Commission with targeted advice to help UK controllers. Most recently, and since the Explanatory Memorandum was prepared, the European Data Protection Board has issued guidance on how to assess whether to supplement standard contractual clauses with examples of supplementary measures that could be used, if needed, to ensure that personal data remains protected to the required standard. It has also updated the templates for the standard contractual clauses. These were published for consultation on 12 November and have been updated to cover processor-to-processor and sub-processor transfers. The noble Lord, Lord Vaizey, commented on the boredom of data—maybe this is a small example.
In response to the remarks of the noble Lord, Lord Stevenson, the greatest impact will be on organisations which transfer data to the US, particularly to those US companies who had previously signed the privacy shield. After the transition period, the Secretary of State and the Information Commissioner will have powers to issue new instruments relating to transfers of personal data under Article 46 of the UK GDPR.
My noble friend Lady Neville-Rolfe asked about the burden on SMEs of having no adequacy agreement. Officials in DCMS, who were rightly congratulated on their work in this area, are engaging with SMEs through meetings and webinars to try to help them prepare for a scenario where adequacy decisions are not in place by the end of the transition period. In such a scenario, as noted already, organisations would be able to use alternative legal mechanisms to continue receiving personal data from the EU and the EEA.
The noble Baroness, Lady Fox, asked about the impact on law enforcement of not receiving adequacy. In this scenario, if we do not obtain a law enforcement adequacy decision, competent authorities would be able to rely on alternative mechanisms to continue receiving data from the EU, and transfers will most likely occur using the appropriate safeguards provision.
The noble Lord, Lord McNally, asked how we would continue to influence the development of international data standards. Since the UK is a signatory to the Council of Europe’s Convention 108, that is one route; the ICO also has functions to co-operate with data protection regulators in other countries.
I see that I have run out of time, so I apologise to those noble Lords whose questions I did not cover, but I will write. I thank all noble Lords again for their remarks.