(7 years, 1 month ago)
Commons ChamberIt does make sense, because all that does is restore us to a position pre 2009 in the European Union. The general principles will still apply. There is no inconsistency by allowing the general principles—subject to amendments, which I am not speaking on; I have some sympathy with the amendments tabled by my right hon. and learned Friend the Member for Beaconsfield —but I am convinced that incorporating the charter would be wrong and unwise. As a matter of policy, I urge my right hon. and hon. Friends and Opposition Members not to vote for that.
I rise to participate in this debate as something of a rarity: a non-lawyer. I will try to keep my comments within the allotted time of between 10 and 12 minutes.
I wish to follow the compelling and intelligent case made by the right hon. Member for East Ham (Stephen Timms), and I am delighted to speak in support of his amendment 151, which highlights, in particular, the consequences facing millions of British citizens and thousands of companies if the UK’s data protection legislation cannot be reconciled with EU law post Brexit. If clause 5 is passed unamended, and should the UK crash out of the EU on 29 March 2019 without a deal, I fear that the UK will find itself non-compliant with EU law and the charter of fundamental rights, and that therefore the framework that affords us the unencumbered free flow of data—not just within the EU, but with the safe nations with which the EU has reciprocal deals, including the United States—will immediately be under threat.
The consequences for the businesses and individuals who rely every day on that free flow of data across international boundaries—a free flow that needs to occur safely and without delay, cost or detriment—are unthinkable. As the Software Alliance said in its recent report,
“The benefits of cross-border data transfers are vital, not only for the technology sector but also for financial services, manufacturing, retail, healthcare, energy and most other sectors”.
The Data Protection Bill impact assessment, published last month, recognised the huge economic importance of the UK being able to guarantee effective unrestricted data flow and predicted that being at the forefront of data innovation could benefit the UK economy by up to £240 billion by 2020. Despite the warnings of businesses and their own impact assessment, however, the Government, in implementing clauses 5 and 6, seem determined to make the UK some kind of digital island, cut off from the rest of the global digital economy.
One would have thought, at a time of so many data breaches and cyber-attacks, that ongoing data co-operation with our European partners and others was not just desirable but essential post-Brexit. If creating a digital island is not the Government’s aim, I strongly suggest they make securing a workable compliant data protection deal with the EU one of their main priorities. It is not enough for them simply to assume that we will attain the status of adequacy by default—because we will have implemented general data protection regulations—or that, come what may, the minute we leave the EU our data protection laws will automatically be harmonised with the EU’s. That is simply not the case.
As we heard from the hon. Member for Nottingham East (Mr Leslie), the right hon. Member for East Ham and others, the European Court of Justice has already ruled, in both the Watson and Tele2 cases, that the implementing of a GDPR simply is not enough automatically to secure an adequacy by default agreement from the EU. The only avenue I can see for the Government, therefore, if they wish to achieve adequacy by default status, which they claim to desire, is to secure a deal with the EU that complies with European law before we leave. To do that, we would require a transitional period, during which we could negotiate a deal while remaining inside the single market and customs union and under the jurisdiction of the ECJ. That is one way for the Government to find time to negotiate the adequacy by default status. Of course, the other, and much more straightforward, option would be for the Government to commit to the UK remaining inside the single market and customs union and under the jurisdiction of the ECJ, given that no one in the UK ever voted to leave the single market or the customs union.
To be clear, the consequences of the UK crashing out of the EU without a deal would be catastrophic, particularly for businesses in the telecommunications and financial sectors, which are heavily reliant—almost entirely dependent—on the unrestricted free flow of data. The right hon. Member for East Ham detailed the importance of data to the UK economy. In the decade to 2015, the amount of cross-border data flow increased twenty-eightfold in the UK, and currently digital and data-intensive sectors of the economy account for 16% of UK output and 24% of our total exports. But as the clock ticks down to Brexit, I know that businesses that rely on the free flow of data are becoming increasingly concerned. They need to know now what is happening: they cannot plan for the future simply on the basis of a vague Government promise that somehow it will be all right on the night. I fear that, if they do not have guarantees about exactly what is happening well ahead of Brexit, they will vote with their feet and leave, like the European Medicines Agency, which announced last night that it was moving 900 high-tech, high-value jobs from London to Amsterdam.
Businesses cannot afford the risk of finding themselves outside the EU data protection area, and they cannot and will not wait until the last minute to find out what is happening. That is not commercially viable. Contracts would have to be rewritten and bills renegotiated, and things like that do not happen overnight. I fear that, if there is no agreement on an issue as fundamental as data protection, many large, high-net-worth companies which provide high-value jobs will begin to seek the stability that they need outside the United Kingdom.
As I said earlier, I seriously question whether maintaining a frictionless cross-border data flow is attracting enough of the Government’s attention during their Brexit negotiations. My alarm bells began ringing a number of weeks ago, when the Minister for Digital told the House that the Government were seeking “something akin” to an adequacy agreement. I had absolutely no idea what he meant then, and I am no closer to understanding now. “Something akin” to an adequacy agreement simply does not exist. An adequacy agreement is a formal legal position. It cannot be bent, moulded, or used as a quick fix to get a country, or a Minister, out of a sticky situation. The leading data protection lawyer Rosemary Jay said of adequacy agreements that the EU
“has to go through a legislative process. It is not simply within its gift to do it in some informal way”.
EU law is very clear: an adequacy decision can only be given to a “third country”— a country that is outside the EU and the European economic area—to allow it to operate securely and freely within the framework of the general data protection regulation, and an adequacy decision can only be given to a third country that meets the European Union’s high standard of data protection and whose domestic legislation is deemed compatible with the European Union’s charter of fundamental rights. The most obvious difficulty is that an adequacy decision is designed for third countries. The UK is not—yet—a third country, and it will not be a third country until the very end of the Brexit process.
There is a whole lot more to be considered. I cannot see how, without negotiating and securing a deal before leaving the EU, the UK can qualify for any sort of adequacy agreement, whether by default or otherwise. Even if the Prime Minister does secure a transitional period and is given time to sort out the UK’s adequacy problems, there is still no guarantee that adequacy by default will be achieved, because before granting an adequacy decision to a third country, the European Commission is obliged to consider a variety of issues such as the rule of law, respect for human rights and legislation on national security, public security and criminal law. That means that any deal that we reach with the EU will have to require at least a complete reworking—and, at best, a complete ditching—of the UK’s Investigatory Powers Act. In its present form, the Act leaves UK law incompatible with the charter of fundamental rights, which, as we have often heard, includes a chapter on the fundamental right to data protection.
On that basis alone, I am almost certain that the Act, which has already been accused of violating EU fundamental rights, will seriously call into question the UK’s ability to receive a positive adequacy decision. Eduardo Ustaran, a respected and internationally recognised expert on data protection, has said:
“What the UK needs to do is convince the Commission—and perhaps one day the European Court of Justice—that the Investigatory Powers Act is compatible with fundamental rights. That’s a tall order”.
The Government are understandably desperate to secure an adequacy decision by default or otherwise, but the harsh reality is that, at the very least, a lengthy and challenging legal process will almost certainly have to be undertaken before that can happen. That is why it is essential that the Government first secure the transitional period to keep the UK within the single market, the customs union and the jurisdiction of the European Court of Justice. We have to redraft the Investigatory Powers Act to make it comply with the charter of fundamental rights—if that is even possible, given the current form of the Act. Should that not happen, we will crash out of the European Union without a data protection deal, with all the devastating consequences that that would have for individuals and businesses.