Leaving the EU: Data Protection

Brendan O'Hara Excerpts
Thursday 12th October 2017

(7 years, 1 month ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Matt Hancock Portrait Matt Hancock
- Hansard - - - Excerpts

I pay tribute to the right hon. Gentleman’s extensive understanding of these issues, not only from his time as a Minister but since. His understanding is so good that he has correctly anticipated the next page of my speech. That is exactly what we are seeking, because it is strongly in the mutual interests of the UK and the rest of the EU that such an arrangement is put in place.

Having just set out my punchline, perhaps I can describe the build-up to it. The goal is for data to be unhindered when security and privacy are respected. It must be unhindered, so that trade and communication can be effective and so that we can innovate in the use of information, including through advanced techniques such as machine learning and artificial intelligence. But data can be unhindered only where it is appropriate for it to go—with data held securely and privacy respected—which means where there are high standards of cyber-security and data protection.

On cyber-security, the 2017 British Chambers of Commerce digital economy survey reveals that at least one in five UK firms were subject to a cyber-attack in 2016, with larger firms more likely to be hit. As more and more citizens, and the wider economy, rely so heavily on digital technology, it is vital to keep data safe from cyber-attack. On the other side of the coin from strong cyber-security is strong data protection. The UK has been a world leader in data protection for a long time, combining privacy with support for dynamic data-driven innovation. We are determined to ensure that, after our exit from the EU, the UK remains a global leader, promoting both the flow of data internationally and high standards of data protection.

For more than a generation, the Data Protection Act 1998 has been regarded as the gold standard in the world. That Act, which was based on European rules set out in 1995, was the result of a piece of work that started under the then Conservative Government, with the legislation enacted by the subsequent Labour Government. That demonstrates the cross-party approach that has been taken to data protection in the UK. Technology marches on, however. It is almost 20 years since the 1998 Act, but the legislation needs to be kept up to date in this changing world. The Data Protection Bill, which had its Second Reading in the other place earlier this week, will modernise data protection legislation, giving citizens more rights over their data while allowing businesses to use modern data management techniques. It offers greater transparency and accountability, thus giving people more reassurance about how their personal data is used by businesses and organisations. Increased accountability and public confidence in how data is used can enhance the digital economy for the benefit of all.

To return to the point made by the right hon. Member for East Ham (Stephen Timms), the Bill will prepare Britain for Brexit. It will extend the EU’s general data protection regulation—GDPR—and bring into UK law the law enforcement directive. It will extend the principles of GDPR into many areas of our domestic law, which will help to ensure that we prepare the UK for the future after we have left the EU. The implementation of the Bill will ensure that we preserve the concepts of the Data Protection Act that have served us so well. We will aim to ensure that the transition for businesses, individuals and charities is as smooth as possible, while complying with the GDPR and the law enforcement directive in full. That means we will be as well placed as possible to achieve the unhindered flow of data with the EU through something akin to the adequacy deal mentioned by the right hon. Gentleman. That is strongly in the interests of both sides in the negotiation.

Brendan O'Hara Portrait Brendan O'Hara (Argyll and Bute) (SNP)
- Hansard - -

The Minister said “something akin” to an adequacy deal. Will he explain what that might mean?

--- Later in debate ---
Brendan O'Hara Portrait Brendan O’Hara (Argyll and Bute) (SNP)
- Hansard - -

At the start of this week, the Prime Minister told the United Kingdom to be prepared for the possibility of a no-deal Brexit. The warning was clear and unambiguous that with gridlocked negotiations a no-deal Brexit was becoming increasingly likely. Of course, the effects of a no-deal Brexit would be catastrophic. The consequences for our economy, our trade and our EU citizens are obvious, and they have been well documented. Less obvious, and among the multitude of hugely important issues that rarely make the headlines, is the impact on data protection of the UK leaving the European without a deal.

Data protection has been described by The Economist and others as:

“The world’s most valuable resource”.

The hon. Member for Cardiff West (Kevin Brennan) described data as “the new oil”. Currently, the UK Government define data protection as the controls on how personal information is used by organisations, businesses or the Government. Everyone responsible for using data has to follow strict rules, and they must make sure that the information is used fairly and lawfully. Information that is held on individuals can include their name, address, credit history, employment history, salary details and even internet browsing history. I am sure that right hon. and hon. Members would wish some, if not all, that information to remain as secure as possible. Robust and strict data protection is therefore absolutely essential to avoid any improper use of that information, whether for online fraud or identity theft, and to keep it from falling into the hands of people or organisations with which we would rather not share it.

Data protection may not be something that we think about every day—indeed, it may not even cross our minds from one year to the next—[Interruption.] Perhaps that is not the case for my hon. Friend the Member for Glasgow North (Patrick Grady). Whether we think about data protection on a daily basis or not, its importance is not diminished. That is why it is absolutely vital that the level of data protection we currently enjoy as EU citizens is guaranteed on day one of Brexit, so that businesses and individuals can continue to rely on existing data flows. It is no exaggeration to say that millions of jobs across Europe rely on data protection and data processing to a greater or lesser extent.

As the Minister acknowledged, the security we receive from our data protection legislation already has a distinctly European flavour, originating as it does from the 1995 EU data protection directive, which was adopted into UK law in the Data Protection Act 1998. Since then, the way in which we create, collate, access and use data has changed enormously, as has the amount of data we create as individuals and as a society. In recognition of that, in 2016 the EU introduced a new legislative framework for data protection: the general data protection regulation, of which we have heard so much, and the police and criminal justice directive. Both those pieces of legislation form the basis of the Data Protection Bill that is in Committee in the other place. The regulations will apply in member states from 2018, and EU member states are required to transpose the directive into national law by the same date.

The Scottish National party agreed with the Minister when he said in February that the GDPR was a “good piece of legislation”. We were pleased that it was included in the Queen’s Speech and that the Government made it clear that our current data protection framework would be amended and made compatible, so that we can adopt the new regulations. We very much welcome the Government’s move to implement the GDPR, giving people more power and control over their own data.

In normal circumstances, I believe that that piece of legislation would be relatively uncontentious. However, as it has done and I believe it will continue to do, Brexit makes the subject of data protection hugely problematic. If we are to leave the EU in March 2019, what is the future for our newly agreed and freshly implemented cross-border, pan-European arrangement with our EU partners? What will be the consequences for businesses and individuals if the UK suddenly finds itself on the outside without a deal to continue the free flow of data not just with the European Union, but with the safe nations with which the EU has secured a reciprocal deal? At a stroke, could the United Kingdom lose its right to exchange data with the United States, a nation on which the Secretary of State for International Trade and President of the Board of Trade seems to be pinning so much hope for our future trade?

We are in an era in which geographical boundaries for data do not exist. Today, as probably every speaker in this debate has said, almost half the large EU digital companies are based in the UK, and a remarkable 75% of cross-border data flow out of the UK is with EU countries. We also have significant data flow with the United States, which occurs because we enjoy access to the EU’s privacy shield agreement. There is no such thing as sovereignty where data is concerned. Currently, we are a signed-up member of an international network committed to safeguarding data. In this global economy, the unfettered free flow of data across international boundaries safely and without delay, cost or detriment is absolutely essential, not just for individuals and businesses but for agencies that need to work across international boundaries. We have heard about many of those agencies today, and they deal with matters such as crime prevention, disease control and national and international security.

For the UK to be able to take full advantage of the continued free flow of data with the rest of the European Union post Brexit, the most straightforward route would be for the EU to issue an adequacy decision. An adequacy decision, as we have heard, is given to a third country—a country that is outside the EU and the EEA—to allow it to operate securely and freely within the framework of the GDPR. It can be given to countries that meet the required standard of data protection, a criterion that currently applies to the United Kingdom. The problem is, however, that an adequacy decision is designed for third countries, and the UK is not—yet—a third country. Indeed, it will not be one until the end of the Brexit process. There is no existing legal mechanism to enable the EU to award an adequacy decision to a country in advance of its leaving the EU. As the leading data protection lawyer, Rosemary Jay, said, the EU has to go through a legislative process, and it is simply not in the EU’s gift to do this in an informal way. I cannot comprehend what the Minister meant when he said that he sought “something akin to” an adequacy deal.

Matt Hancock Portrait Matt Hancock
- Hansard - - - Excerpts

The negotiation of the EU’s future relationship with the UK is not some sort of informal approach; it is a very formal set of talks. We hope that it will lead to a good deal, which we hope will include this area. That is exactly what I meant.

Brendan O'Hara Portrait Brendan O'Hara
- Hansard - -

I thank the Minister for his point, but I stress again what Rosemary Jay said: the Commission has to go through a legislative process, and it is not within the EU’s gift to do this in an informal way. There could be a further complication in the UK’s achievement of an adequacy decision. As the hon. Member for Cardiff West said, ahead of granting an adequacy decision the European Commission is obliged to consider a variety of issues, such as the rule of law, respect for human rights and legislation on national security, public security and criminal law.

That being so, there is a very strong suggestion that the Investigatory Powers Act 2016 may jeopardise the ability of the UK to receive a positive adequacy decision. The Investigatory Powers Act has already been accused of violating EU fundamental rights. Eduardo Ustaran, the internationally recognised expert on data protection law, has said:

“What the U.K. needs to do is convince the Commission—and perhaps one day the European Court of Justice—that the Investigatory Powers Act is compatible with fundamental rights. That’s a tall order”.

While the Government are understandably desperate to secure an adequacy decision, the harsh reality is that a lengthy and challenging legal process may have to be undertaken before that happens.

I fear the Government are in denial about this. Indeed, when questioned by the Culture, Media and Sport Committee back in February about what would happen on the day after Brexit if we do not have an adequacy decision in place, the Minister said:

“we seek unhindered data flows but we want that to happen in an uninterrupted way—that is to say, on the morning on which we have left the European Union, it is very important that our data rules work, so that there is an uninterrupted system in place”.

He is absolutely right—I could not agree more—but that did not answer the question about what happens if we do not have such an adequacy decision in place on the day we leave.

Just yesterday, at the Digital, Culture, Media and Sport Committee, I asked the Secretary of State a very similar question about the need to have an adequacy decision in place when the UK leaves the EU. Her answer was that she was

“very hopeful of getting that deal”.

I am sure she is and I wish her well, but at the moment there is no deal in place. The longer negotiations are at a stalemate, while we continue without the legal mechanism to get a third country deal, and, given the issues in relation to the Investigatory Powers Act, securing the agreement the UK needs and absolutely desires is becoming less and less likely.

Another potentially huge problem arises if we do not secure an adequacy decision by the day on which we leave the European Union, because not only will we be outside the EU and isolated from the other 27 member states, but we will also be outside the EU-USA privacy shield agreement. The consequences of that happening may be unthinkable for UK businesses and individuals, but it is absolutely incumbent on the Government to think the unthinkable and to be adequately prepared for it. Putting all their eggs in the one basket of hoping to secure a negotiated adequacy decision is a very high stakes game, so I again ask Ministers: where is the plan B should there not be an adequacy decision? What assessment has been made of the UK not having such a decision in place on the morning on which we leave the European Union, and when will Members of the House be able to see that plan B and that assessment?

Nobody wants such a situation to arise—we want a deal to be struck—but even if the Government’s faith is rewarded and we do secure an adequacy decision, the UK faces another problem. As the GDPR evolves over time, as it surely will, the UK, to maintain its membership, will be required to amend its data protection law to keep in line with European law. The EU charter of fundamental rights and freedoms is now central to EU data protection law, and the charter is interpreted by the European Court of Justice, yet clause 6 of the European Union (Withdrawal) Bill quite clearly states that EU courts will cease to bind UK courts and tribunals following withdrawal. I suspect that if the UK does manage to secure an adequacy decision, to keep it, it will have to fall into line with the European Union Court of Justice.

As I said at the start, we welcome the Bill as a move to ensure that people have more control over their own data and to bring the legislation into line with the huge technological advances since the 1998 Act. We welcome the commitment to implementing the GDPR and to the UK remaining fully involved in protecting EU citizens’ data post-Brexit. We question, and we will continue to question, the Government on how they can take this forward when an adequacy decision is not guaranteed and while there are still unresolved issues about the Investigatory Powers Act, at the same time as they are seeking to remove the UK from the jurisdiction of the European Court of Justice.

Of course, it does not have to be this way. The best, easiest and most straightforward way to ensure that there are no disruptions to data flows between the UK and the EU after Brexit is for the United Kingdom to remain a full member of the single market. The agony and the fear for millions of businesses and individuals of being cut off from both Europe and America if we do not secure an adequacy decision could be avoided by our staying in the single market. Why put people and businesses through this?

After all, no one in any of the nations of the United Kingdom voted to leave the single market. In fact, two of the four nations of the United Kingdom voted to remain in the European Union. We are in this situation because of the Conservative party’s extreme interpretation of Brexit, and that is why we are now actually having to prepare ourselves for what, hitherto, was unimaginable—a no-deal Brexit, with the catastrophic consequences that it will inevitably have for our society and our economy.