Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberI will speak to Amendment 115 in this splendidly and creatively grouped set of amendments. The Government appear to have removed some of the extraterritorial elements in the GDPR in applying derogations in the Bill. Paragraph 9(d) of Schedule 6 removes all mention of “representative” from the Bill. This could have major consequences for data subjects.
Article 3 of the GDPR extends its provisions to the processing of personal data of data subjects in the European Union by a controller not established in the European Union. This happens when a controller is offering goods or services into the European Union. In such circumstances, article 27 requires a representative to be appointed in a member state, if a controller is not in the Union. This article is removed by paragraph 23 of Schedule 6.
Recital 80 of the GDPR explains the role of the representative:
“The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority … including cooperating with the competent supervisory authorities … to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
Supposing that a company incorporated in the USA does not have a place of permanent establishment in the UK but still falls within article 3, such a company could be established in the USA and use its USA website to offer services to UK citizens without being caught by the Bill. Can the Minister reassure us that there is a solution to this problem?
My Lords, I am glad that the noble Lord, Lord Stevenson, has raised the question of the meaning of “broadly equivalent”. It encapsulates a difficulty I have found throughout the Bill: the language of the GDPR and of the law enforcement directive is more narrative and descriptive than language to which we are accustomed in UK legislation. Though one might say we should just apply a bit of common sense, that is not always the first thing to apply in interpreting UK legislation.
In this clause, there is another issue apart from the fact that “broadly equivalent” gives a lot of scope for variation. Although Clause 3 is an introduction to the part, if there are problems of interpretation later in Part 2, one might be tempted to go back to Clause 3 to find out what the part is about and be further misled or confused.
My Lords, I am grateful to noble Lords for their comments and the opportunity, I hope, to make things clearer. Amendment 5 seeks to make it clear that the applied GDPR does not apply to processing activities which fall outside the scope of EU law. Amendment 6 examines the differences between the GDPR and the applied GDPR. The applied GDPR exists to extend the GDPR standards for personal data processing to datasets outside the scope of EU law, which may be otherwise left unregulated. This is an essential extension because, first, we believe that all personal data should be protected, irrespective of EU legal competence; and, secondly, we need a complete data protection regulatory system to secure the future free flow of data.
Chapter 3 of Part 2 and Schedule 6 create the applied GDPR, which is close to, but not identical to, the GDPR. This is primarily because we have anglicised it as it sits within our domestic law, not European law. References to member states become references to the UK. As domestic regulation it is also outside the scope of the functions of the European Data Protection Board, so appropriate amendments are needed to reflect that. Otherwise the same general standards and exemptions apply to the applied GDPR as for the GDPR.