Daniel Zeichner (Cambridge) (Lab)

- Hansard -

Copy Link

-

It is a pleasure to serve under your chairmanship, Mr Streeter. I listened closely to the Minister—I am struggling with the real and the applied GDPRs, as I am sure we all are—and the sense I get is that that will lead to potential divergence, which could have further consequences. We have reached an important point in the discussion. If we have divergence a few years down the line, does that not put adequacy at risk?

Daniel Zeichner

- Hansard -

Copy Link

-

Could the Bill not also put the Information Commissioner in an extraordinarily difficult position? Decisions that she may make in the future could have huge political consequences. I would be surprised if she wanted to take that on.

Daniel Zeichner

- Hansard -

Copy Link

-

What weight does the Minister give to the written evidence that the Committee received from the Information Commissioner’s Office? It is obviously expert on this issue, and it addresses some of the points she made. It concludes that there is no threshold for when “defence purposes” are to be used, and that there is no guidance

“for when it is appropriate to rely on the exemption.”

What weight does the Minister give to that, and what is her response to the concern raised by the Information Commissioner’s Office?

Daniel Zeichner (Cambridge) (Lab)

- Hansard -

Copy Link

-

It is a pleasure to serve under your chairmanship, Mr Streeter. I listened closely to the Minister—I am struggling with the real and the applied GDPRs, as I am sure we all are—and the sense I get is that that will lead to potential divergence, which could have further consequences. We have reached an important point in the discussion. If we have divergence a few years down the line, does that not put adequacy at risk?

Daniel Zeichner

- Hansard -

Copy Link

-

Could the Bill not also put the Information Commissioner in an extraordinarily difficult position? Decisions that she may make in the future could have huge political consequences. I would be surprised if she wanted to take that on.

Daniel Zeichner

- Hansard -

Copy Link

-

What weight does the Minister give to the written evidence that the Committee received from the Information Commissioner’s Office? It is obviously expert on this issue, and it addresses some of the points she made. It concludes that there is no threshold for when “defence purposes” are to be used, and that there is no guidance

“for when it is appropriate to rely on the exemption.”

What weight does the Minister give to that, and what is her response to the concern raised by the Information Commissioner’s Office?

Daniel Zeichner (Cambridge) (Lab)

- Hansard -

Copy Link

-

I beg to move amendment 140, in clause 8, page 5, line 23, after “includes” insert

“but is not limited to,”.

Daniel Zeichner

- Hansard -

Copy Link

-

It is a pleasure to serve under your chairmanship, Mr Hanson. I shall begin by declaring an interest: I chair the all-party parliamentary group on data analytics, the secretariat to which is provided by Policy Connect. In that capacity, I have had the pleasure of having many discussions about GDPR with experts over the past couple of years. I reflect on what a very good process it is that British parliamentarians in the European Parliament are able to intervene on such matters at early stages, to make sure that when the legislation finally comes to us it already has our slant on it. That may not be possible in future when we come to discuss such legislation.

I represent a university city, so research is a key part of what we do. It is on that basis that I tabled the amendments, and I am grateful to the Wellcome Trust and the Sanger Institute, which have given me advice on how the amendments would help them by providing certainty for the work that they do. The purpose of amendment 141 is to ensure that university researchers and public bodies with a research function are able to use what is called the “task in the public interest” lawful basis for processing personal data, where consent is not a viable lawful basis. I apologise for going into some detail, but it is important for universities and researchers that there is clarity.

As the Bill is drafted, clause 8 provides a definition of lawfulness of processing personal data under GDPR article 6(1)(e). Subsections (a) to (d) of clause 8 set out a narrow list of activities that could be included in the scope of public interest. I am told that that list is imported from schedule 2(5) of the Data Protection Act 1998, but I am also told that the drafters have omitted a version of the final and most general sub-paragraph from that list, which reads:

“for the exercise of any other functions of a public nature exercised in the public interest by any person.”

It is speculated that that may have been taken out of the list to tighten up, and to avoid a tautology in defining, “public interest”, but the worry is that taking it out has made the clause too restrictive. The explanatory notes indicate that the list in clause 8—that is, subsections (a) to (d)—is not intended to be exhaustive, but the Wellcome Trust and the Sanger Institute worry that it has narrowed the public interest terminology to a very narrow concept, which will be confined to public and judicial administration.

There was a very lengthy and very good debate in the other place on this matter. One of our universities’ main functions is to undertake research that will often involve processing personal data. In some cases, GDPR compliant consent, which may seem the obvious way of doing it, will not be the most appropriate lawful basis on which to process that data. It is therefore really important that an article 6 lawful basis for processing is available to university researchers with certainty and clarity.

The Government have included reference to medical research purposes in the explanatory notes, but the worry is that that does not necessarily have weight in law and the reference excludes many other types of research that are rightly conducted by universities. This is not a satisfactory resolution to the problems that are faced.

The amendment tries to enable research functions to be conducted by public bodies such as universities without doing what the Government fear, which is to broaden the definition of “public interest” too far. The wording retains the structure of the DPA list, from which the current clauses were imported, but it narrows it down in two ways. It specifies the purpose of processing, that is, research functions, which must be the reason for the processing and specifies who is doing the processing—the basis of it only being available to public bodies, as defined in the previous clause.

We are aware that the Government are worried about adding further subsections to the list. I think they said that it could open the floodgates in some way. However, I am told that there is not really any evidence to suggest that the current wording of paragraph 5 of schedule 2 of the Data Protection Act, which has a very broad notion of public interest, has in any way “opened the floodgates”. To give some sense of the concerns that have arisen, the processes by which university researchers seek permission to do things are quite complicated. Some of the bodies have already issued guidance. I am told that the Health Research Authority issued guidance on GDPR before Christmas. It advised that a clause on using legitimate interests should be included in the Bill.

There is confusion in the research sector, and there is a wider worry that if this is not clear, it is open to legal challenge. While some institutions will be able to take that risk, the worry is that smaller research bodies would conclude that, given the lack of clarity, it would not be worth taking that risk. I hope that the Government will think hard about the suggestion. It comes from the research institutions themselves and would give clarity and reassurance. I hope that the Minister will accept the amendment.

Daniel Zeichner

- Hansard -

Copy Link

-

I thank the Minister for her kind words—particularly about Second Reading. I think that we were all puzzled about what was going on at about five minutes to 10; I am none the wiser. I am slightly disappointed by her response, because this is not a party political discussion. We all want to get to the same place. In many ways, the discussion we have just had is not that dissimilar from the previous one about educational institutions, schools and academies. There are many grey areas relating to what universities are, and what their status and that of the research bodies associated with them is. My worry is that if we just take the Minister’s reassurances rather than amend the Bill, the uncertainty to which I alluded—it is not my uncertainty; it is what staff at esteemed research institutions say they feel—will be a problem. We should try to improve the Bill to get the clarity we need.

Daniel Zeichner

- Hansard -

Copy Link

-

I think we will go to a vote, Mr Hanson.

Question put, That the amendment be made.

Daniel Zeichner (Cambridge) (Lab)

- Hansard -

Copy Link

-

I will not speak about the problems of the analogue past, but instead look ahead to the digital future. It is a pleasure to speak on a Bill that has been subject to very detailed scrutiny by some very eminent people in the other place.

It may seem curious to have such lengthy and detailed legislation before us when the heart of it, the GDPR, is actually somewhere else—it is, of course, in EU legislation. Our discussion is on how to implement it and other such issues rather than on the actual proposals themselves. I dare say that there are some who will jump to the conclusion that it is yet another example of rules being made elsewhere. However, I take the opposite view, as this is legislation that British representatives helped to fashion in Brussels, and as I will point out later in my speech, because data flows across national boundaries, having a full and frank discussion with one’s neighbours is to one’s advantage, not disadvantage. By being in the European Union, through the GDPR as in so many other fields, we take control of our future, rather than hunker down in a defeated bunker and wait for others to do things to us—taking back control of nothing other than the ability to bemoan our unfortunate fate.

This debate today is very timely, because on Friday the Prime Minister finally made the first faltering steps towards recognising that reality. I was pleased to see her acknowledge just how important data is to our future—it was one of the four key areas that she outlined—but, even after all the warnings, she still does not seem quite to understand the pitfalls in seeking an adequacy arrangement when, without the freedoms that membership of the European Union gives us to determine our own balance between security and privacy, that balance will be subject to the very different judgment of other EU countries.

I have been fortunate, through my work as chair of the all-party group on data analytics, to learn from a range of very expert people about some of the possible advances that come with a much more sophisticated use of data. I have also learned of the fears that many rightly have about the potential consequences of those same advances. That is why I was pleased that, following the excellent work by the Royal Society led by Dame Ottoline Leyser from Cambridge among others, we do now have the prospect of a data ethics and governance body, and, perhaps unusually, I pay credit to the Government for bringing that forward. Although I have questioned exactly how that will sit within the current structures, particularly with the Information Commissioner’s Office, we have the potential to create something really rather important, and I hope that, in further discussion of this Bill, we will be able to explore with Ministers in more detail the future landscape for data governance. We most certainly need such governance, because hardly a day goes by without further concerns being raised in one sphere or another, whether it be internet safety issues or the accurate reporting of news. To put it mildly, this is a big subject.

I will not attempt to address all, or even many, of the issues in the Bill; that can be for another day. Instead, I will confine my comments to one or two areas of particular concern. As someone who was very taken by the account of the potential dangers of relying too heavily on closed algorithms when I read the aptly titled “Weapons of Math Destruction” by Cathy O’Neil, I must mention the concern so many of us feel about the dangers of automated decision making, which so risk hardcoding previous injustices and social and cultural prejudices. In this Bill in particular, I share the concerns already raised about the immigration exemption.

A further concern raised in general about GDPR is the potential unintended consequences on some voluntary organisations, particularly small ones. It may be that the legislation has not always been properly understood, and it may be that some accounts have caused people to be more fearful than they need be, but I was struck just a few days ago to hear from a small charity in Cambridge that it had decided to discontinue its operations because it was not confident that it could meet GDPR requirements. Stopping small voluntary organisations from helping people is not the intention of this legislation. Indeed, if that is an unintended consequence, we need urgently to find ways to remedy it.

Similarly, we need to make sure that this legislation facilitates, rather than damages, our ability to use NHS data effectively. I know that many are working very hard on that, and that everyone is mindful of previous false starts. In particular, the shadow of Care.data still looms, because, despite good intentions, that programme clearly got it wrong. It failed to win public trust: there was widespread concern that the appropriate safeguards were not in place, and a failure properly to explain potential benefits to patients. It is easy to criticise, but winning trust is a very hard thing to do. The public are rightly concerned that data obtained for one use could then be applied in a different context and could possibly be commercialised. All the evidence is that that is what people particularly revile. We now have another programme under way, which we are told is GDPR compliant, and yet I wonder again just how many people are aware of it and whether we can be sure that there will not be further problems. I hope that, as we discuss this Bill, we can help raise public awareness and understanding, because without that, all the work and effort being put in by so many could be at risk.

I turn briefly to potential impacts on the research sector and universities. I am grateful to the Sanger Institute, located outside Cambridge, and the Wellcome Trust for explaining some of the very real concerns facing the sector, particularly around health data. We know that reviews such as Caldicott have made sensible recommendations, which hon. Members are working hard to get on the statute book. The principle of opt-outs regarding the usage of data collected is sound, and the safeguards such as those enshrined in GDPR are vital for ensuring data subjects’ interests are protected in research. However, as currently drafted, the framework for data processing by the Government, which was introduced at a very late stage in the other place, risks undermining that. The ICO also has concerns, as it is not clear that the public can have absolute confidence in the way that the Government use their data, and I hope that we can have some clarity from Ministers over how that can be resolved. It is also worth noting in passing that the introduction of the National Data Guardian for Health and Social Care, which has come about through a private Member’s Bill, is welcome but is awaiting Committee stage. The process needs to be speeded up to dovetail with this Bill as a matter of urgency.

There are further concerns. Research institutions tell me that this Bill currently does not provide a clear enough legal basis for conducting research using personal data. They have some fairly straightforward suggestions for improvement, which I hope the Government will consider in Committee, around better defining public interest to make it explicit that it includes research uses, particularly medical research.

Additionally, when I spoke to the Sanger Institute, which has to process data not under the public interest category but under legitimate interest, it was clear to me that it is important that it has confidence about the legitimate provenance of the processed data that it uses, which has often been passed from universities. The research community needs it written explicitly in the Bill that university research can be conducted legitimately on a “task in the public interest” lawful basis. That is also needed to satisfy guidance from the ICO to confirm that this is an appropriate lawful basis for university research. Although larger institutions may have the confidence to continue with their research and risk challenge, this could present more of a problem to newer or smaller universities. We have huge potential for healthcare transformation and innovation in the UK economy, and to risk that by getting this part of the Bill wrong would be very foolish.

Let me conclude by returning to where I and the GDPR began—with our relationship with the European Union and the extent to which this Bill will or will not help us secure the adequacy agreement that we all agree that we need and that the Prime Minister confirmed that we needed on Friday. Why does it matter? I urge Members to look no further than the excellent work done by techUK, which has explained in detail just how much our economy depends on data flows. Let me share a local example. A few weeks ago, I visited Jagex, a video games developer in my constituency. It was not my first visit. It is a fantastic and inspiring example of what work might be like in the future, and its model is very positive. Visiting Jagex, with representatives from Ukie, the trade body for the video games sector, it was explained to me just how vital data flows are for the sector. It is because these games and their players span many nations, and their data does not respect national boundaries.

On a Friday afternoon, 100,000 people were playing RuneScape—I was told that, over the weekend, there would be more than a million players. Huge flows of data are serviced and maintained by skilled staff in Cambridge, who are from all over Europe and beyond. That is the future, and it is a good future, but it requires that we keep open those flows of data, and—although this is for another day—those flows of people. None the less, we are potentially putting this UK success story at risk. Some of the national security and immigration exemptions in this Bill are potentially enough to deny us data adequacy in the eyes of some countries in the EU. We need to ensure that this Bill is not going to cause us harm further down the line.

There is also the question of timing. These are complicated and controversial issues, but the Bill must be on the statute book in a mere two months’ time—on 6 May—for the new rules to be in place for 25 May. Missing the GDPR implementation date really is not a great look for a country that is trying to achieve a data adequacy agreement with its international partners.

We may also need to assess other countries for their adequacy. Who is to do that assessment? The ICO does not feel that it is appropriate for it to do that, so is the Department for Digital, Culture, Media and Sport really ready? Does it have the resources? Has the work started? And what of the complexities of the relationship with the United States of America and the privacy shield? At the moment, we are covered by the data privacy shield as an EU member state and a similar arrangement would be welcome, but the American system is complicated, with no federal oversight and it may not be quick.

I welcome this Bill overall, but significant challenges remain. I look forward to seeing how the Bill will be improved in Committee, particularly around safeguarding data owners’ rights, ensuring that we can make best use of our health data, and ensuring that universities and researchers have the clarity that they need to continue their excellent and life-saving research.

I hope that the Minister will go further to explain the ways in which she is preparing for adequacy decisions that may need to be both applied for and made by the UK in the coming months and years. Most importantly, perhaps, I hope to learn further from Ministers how this Bill will be adapted so that our approach to the balance between privacy and security is sufficiently aligned with EU standards, meaning that adequacy can be achieved smoothly. I am afraid that “ambitious managed divergence” simply will not cut it, and I leave the Minister to explain how the conundrum can be resolved.

Daniel Zeichner

- Hansard -

Copy Link

-

Further to that point of order, Mr Speaker. As my hon. Friend says, this has been a very long debate in which serious issues have been raised by Opposition Members. This debate was about not just Leveson, but data protection, which is particularly important for the future, and Opposition Members asked some major questions. I asked about the future of research. Researchers are very concerned, but they have not had an answer from the Minister. Is there is anything you that can suggest, Mr Speaker, that would enable them to get an answer this evening from the Minister?

Daniel Zeichner (Cambridge) (Lab)

- Hansard -

Copy Link

-

Uber’s scandalous disregard for the rights of the millions of people who have entrusted it with their personal data shows that we need stronger protection. There was a suggestion in yesterday’s Budget that there will be a centre for data ethics. Can the Minister shed some light on the centre’s relationship with the Information Commissioner’s Office to ensure that we can deal with these over-mighty companies in the way that my hon. Friend the Member for Ilford North (Wes Streeting) suggested?

Daniel Zeichner (Cambridge) (Lab)

- Hansard -

Copy Link

-

My right hon. Friend is making extremely important points. The very fact that we are having the debate shows that there is uncertainty. When those who may be not so friendly to us in other parts of Europe are looking for cause to be difficult, does that not absolutely give them that cause?

Daniel Zeichner (Cambridge) (Lab)

- Hansard -

Copy Link

-

It is a pleasure to follow my regional neighbour, the hon. Member for Chelmsford (Vicky Ford). May I congratulate my hon. Friend the Member for Warwick and Leamington (Matt Western) on his excellent maiden speech? He started by suggesting that he was going to talk about happiness, which is something that we could all do with much more of, and then quite rightly began to reflect on the everyday experiences of his constituents which, sadly, involve less happiness. He did manage to conclude on a positive and optimistic note for the future. I congratulate him on his contribution and on choosing to make it in a debate in which, as we have heard, the stakes are so high. When the public voted last year, I doubt that any of those who voted leave were actually voting to make data transfers more difficult, to make business more complicated, to stop the planes flying, to find video games unplayable and to find regularly used websites suddenly becoming unavailable. If 29 March 2019 is exit day, as some parts of the Government say on some days of the week, April fool’s day 2019 will be a day when the papers really will not have to make it up.

Some have described the movement of data across Europe as the fifth freedom. In fact, my hon. Friend the Member for Cardiff West (Kevin Brennan) made exactly that point. I suspect that most of us, and most of our fellow citizens, are only dimly aware of what actually happens to our data, but it does really matter. The design, extent and provisions of the British data protection framework will have profound implications for the nature of UK-EU trade relations. Today’s debate is particularly timely given the proceedings on the Data Protection Bill that are already under way in the other place. It is vital that we get this framework right.

I chair the all-party group on data analytics, and I have seen at first hand the way in which data has moved to the centre of every sector. Wherever we go, people are talking about data. I hope that the Minister will accept an invitation to meet the all-party group fairly soon to talk about how we can build awareness not just of how transformational this is likely to be, but of how complicated it will be to ensure that we get it right.

As we have heard, data is an increasingly valuable commodity, with the UK conducting three quarters of its cross-border data exchange with the European Union. The EU data economy was worth €272 billion in 2015 and has continued to grow rapidly since.

We have played a key role within the European Union in developing the GDPR, which will come into effect in the UK from May 2018. The European Commission proposed this new legislative framework back in January 2012 as an update and a levelling mechanism to protect citizens across Europe. It has taken five years of discussion and hard work for the regulation to be agreed. This significant measure for the UK does a number of things. It significantly widens the definition of personal data, transforms the notion of consent, carries severe fines for companies in case of non-compliance and fundamentally alters the way in which companies can store and process personal data.

Back in February, the Minister told the House of Lords EU Home Affairs Sub-Committee that the GDPR was a “good piece of legislation”, and I welcome the Government’s sensible decision to adopt the GDPR into UK law. But, as many have pointed out, there are problems ahead, not least with some elements of the relationship with the Investigatory Powers Act 2016. Both techUK and Ukie—the Association for UK Interactive Entertainment—which covers things such as video games, highlighted that concern when the Government published their paper in August, and both noted that the paper did not address an issue that the Government knew to be problematic.

Why would it matter if data flows were interrupted? Well, we are good at data in the UK. Our digitally intensive industries account for 16% of gross value added, 24% of total UK exports and 3 million jobs. The digital sector is growing 32% faster than the national average. We are at a significant competitive advantage in the digital economy. At 10% of GDP, the digital economy makes a larger contribution to our economy than that in any other G20 country, so it really matters to us. Beyond that, it is a vital enabler in the overall UK economy and society. We are increasingly digitised, with all sectors increasingly reliant on data flows. They underpin retail, health, finance, manufacturing and the automotive industries, to name just a few. The Government have confirmed that:

“Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”

That confirms that they do understand and appreciate the importance of data protection.

Additionally, data flows benefit consumers, allowing innovation in products and services, streamlining performance in industry and improving global communication. They reduce business costs, leading to more investment in research and development, and improve productivity. In some ways, the problem is that our membership of the European Union gives us special advantages. In a profound irony, we actually have more control over our own privacy regime when we are within the European Union than we will have when we are outside it. Let me explain how that comes about.

Outside the EU, we become a third country in terms of our relationship with the European Union. The Government say that the best way forward is an adequacy agreement, or something akin to one, which would need to be secured with the European Commission. There are alternatives, but they are difficult, unstable and particularly ill-suited to UK businesses, especially small and medium-sized enterprises. The large corporations may be able to manage, but the small businesses will not. UK firms, particularly the start-ups in my part of the country, would have to jump through hoops and hurdles that their European counterparts would not have to. While our companies would be spending time and money agreeing standard contractual clauses with customers, their EU counterparts and competitors would simply be getting on with business.

Daniel Zeichner

- Hansard -

Copy Link

-

My hon. Friend is absolutely right. Much work needs to be done to raise awareness of what the GDPR will mean. That is a challenge, but it is a good thing in general. The worry is that if it will not be available for our smaller companies in the future, that already challenging task will be made even more difficult. In fact, it will be so difficult in many cases that small companies in areas like mine will simply up sticks and go somewhere else where the process is easier.

I fully recognise the points made by Government Members. They understand a lot of this and say that an adequacy decision would be the best possible solution to ensure the

“unhindered exchange of data within an appropriate data protection environment”.

The partnership paper clearly states that future data protection co-operation

“could build on the existing adequacy model”.

If we are to achieve that objective, ensuring the continued alignment of the UK’s data protection framework with the EU’s will be key. That should, therefore, be the primary consideration in any discussion of the provisions of the Data Protection Bill. Any deviation from the provisions of the GDPR could put at risk achieving a successful outcome as we seek an adequacy decision.

We also need to look to the future, because if we do get that adequacy agreement, given the close alignment of UK and EU data protection frameworks, the Government must prioritise ICO involvement in the formulation of future EU data protection provisions. As we have heard, the EU will inevitably update the GDPR as time and technology progress. However, we risk these changes being dictated to us, and a duty needs to be placed on the ICO and the commissioner to maintain regulations that keep the UK adequate with the latest version of EU law. Even if we can achieve that, there is a great irony here, in that we will, effectively, be dictated to—it is not quite the taking back control that some were seeking.

Perhaps more important is that just saying that we would like an adequacy agreement is not the same as actually getting one. We might wish for one, but will we be able to have it? Will others agree? There are various problems, which I hope the Minister will address. The first is time. Obtaining an adequacy decision is feasible only for third countries. It follows that, to get one, the UK will need to have left the EU at the time of the ruling, which leads to the very real danger of a data protection cliff edge. In evidence to one of our Committees, Stewart Room, head of data protection at PricewaterhouseCoopers, said that obtaining such a decision could take “many, many years”. So this week’s talk of no deal is highly risky when it comes to data. The risk of a cliff edge is very real and very dangerous.

Then there is the Investigatory Powers Act. There is a danger that some of our neighbours may no longer be inclined to share data with a country that takes a different view on privacy issues from them. As members of the EU, our different traditions are respected; as a third country, things could be very different. The provisions in the Investigatory Powers Act, and the current investigatory practices in our intelligence services, which allow the police to access personal data such as communications or internet data without a requirement for independent judicial approval or for the issue being investigated to be of a certain seriousness, will be a legitimate concern for some countries in the EU when negotiating an adequacy agreement. Perhaps the Minister can tell us what work has been done on this and what assurances have already been received.

The ruling of the Court of Justice of the European Union in the Watson case with regard to the UK’s surveillance and bulk data retention regime is also important. The Court’s decision stated that the UK’s surveillance and data retention laws—then the Data Retention and Investigatory Powers Act 2014—exceeded the EU’s view of what is strictly necessary and appropriate. That model of retaining communications data is broadly mirrored in the new Investigatory Powers Act—the replacement for DRIPA. It is hardly inconceivable, therefore, that the EU could decide that the UK does not reach its standards for adequacy. On this rather complicated set of issues, I should say that I am grateful to Renate Sampson of Big Brother Watch for explaining some of these points to me.

My next concern was about the European charter of fundamental rights, but it has already been touched on in the excellent discussion triggered by the contribution from my right hon. Friend the Member for East Ham (Stephen Timms), whom I will be supporting in his efforts to secure amendment 151 when we discuss the European Union (Withdrawal) Bill.

There is a further point about that Bill. We know that it is controversial and that there are concerns that ministerial alterations can be made without parliamentary votes. If the GDPR were to be altered during the repeal process, and citizens’ personal data rights were in any way diminished, we could be prevented from being anywhere near the level of protection deemed adequate by the EU. The Information Commissioner has made it clear that for the UK to achieve the gold standard of data protection regulation and enforcement, the right way forward is to fully adopt the GDPR, and that position must be maintained.

UK businesses and organisations have already started preparing for the GDPR, which is good. That should stand us in good stead when it comes to an adequacy discussion. It is vital that we enshrine the GDPR in our law permanently in a clean Data Protection Bill, so that data can still flow, businesses can still run and communications do not just stop. However, it is of the utmost importance that we commit to these rules for the long term and provide certainty for individuals and businesses. The economic consequences of not being able to move personal data would be very serious, with companies having to double-store data. That would take a long time to implement, and it would have serious economic and environmental costs, and run the risk of our not being able to operate properly across borders. It would, at a stroke, put at risk the UK’s place as a global hub for tech and other data-intensive industries. There is a huge amount at stake.

There is, of course, a simple alternative that looks more and more obvious with every passing day to some of us, as Brexit morphs into wrecks-it. But until we reach the point at which sense prevails, I hope that the Minister will share with us information on the work being done, especially on fine-tuning the relationship between the GDPR and the IPA, to ensure that the data keeps flowing and we can remain part of the modern world.