Brendan O'Hara (Argyll and Bute) (SNP)

- Hansard -

Copy Link

- - Excerpts

I rise in support of new clause 12, for two reasons. With the Bill as it stands, we see an erosion of the rights of UK citizens in a range of areas. This is particularly important because, as drafted, the EU (Withdrawal) Bill, eliminates important rights that are protected by article 8 which would otherwise constrain Ministers’ ability to erode the fundamental data protection rights that we currently enjoy.

On top of that, it is essential that, post-Brexit, the United Kingdom has an adequacy agreement with the rest of the European Union. As we have heard from the right hon. Member for Birmingham, Hodge Hill, if the United Kingdom fails to secure an adequacy agreement, I fear there will be a flight of high-tech, high-skilled jobs from the United Kingdom to other parts of the European Union.

For the UK to be able to take full advantage of this vital continued free flow of data with the rest of the European Union post Brexit, the most straightforward route is an adequacy agreement. As I have heard argued before, that decision is not as straightforward as one would hope. An adequacy agreement is not simply in the Commission’s gift to give; it is a legal judgment.

If I could point again to the data protection lawyer, Rosemary Jay, who said that the EU had to go through a legislative process, and it was simply not in the EU’s gift to do this in any informal way. The Commission has to go through a legislative process in order to give the UK an adequacy agreement. There are further complications because, with an adequacy agreement, the European Commission has to consider a variety of issues, such as the rule of law, respect for human rights, and legislation on national public security and criminal law. That being so, as it currently stands, the Investigatory Powers Act may well prove a block to achieving adequacy. The Act has already been accused of violating the European Union’s charter of fundamental rights. Eduardo Ustaran, the internationally recognised expert, has said:

“What the UK needs to do is convince the Commission—and perhaps one day the European Court of Justice—that the Investigatory Powers Act is compatible with fundamental rights. That’s a tall order”.

While I can understand that the Government are absolutely desperate to secure an adequacy agreement, the harsh reality is that, in these challenging circumstances and with this challenging legal process, it is not going to be as simple as perhaps we had hoped.

No one wants this situation to arise; it is absolutely essential that we have this deal, but, as GDPR evolves over time—as it surely will—in order to maintain that adequacy status, should we attain it, the UK will have to keep its data protection law in line with GDPR. The EU charter of fundamental rights and freedoms is absolutely central to EU data protection law. If we exclude ourselves now from article 8, the chances of achieving adequacy are seriously jeopardised, and the chances of maintaining adequacy are further jeopardised. I urge the Government please to consider the long and short-term consequences of not accepting this new clause. Without article 8, I cannot see how we will achieve or maintain adequacy, and if we cannot achieve and maintain adequacy, the consequences for UK high-tech businesses are unfathomable.

Mike Wood (Dudley South) (Con)

- Hansard -

Copy Link

- - Excerpts

The hon. Gentleman is selectively quoting from that analysis. As he will see, it also says that the European Court of Human Rights —I think that the case concerned Finland—held that article 8 of the European convention on human rights encompassed data protection rights that were protected in article 8 of the charter.

Margot James

- Hansard -

Copy Link

- - Excerpts

I thank speakers for their thoughtful contributions. I share many of their concerns, as do the Government, particularly with regard to adequacy, which I will talk about in more detail. I think we are all agreed that after Britain leaves the European Union we must be able to negotiate an adequacy agreement for the free flow of data between us and the EU. That is absolutely essential.

First, the GDPR implements the right to data protection and more. It is limited in scope, but the Bill also implements data protection rights on four areas beyond GDPR. It applies GDPR standards to personal data beyond EU competence, such as personal data processed for consular purposes or national security. Secondly, the Bill applies the standards to non-computerised and unstructured records held by public authorities that the GDPR ignores. Thirdly, the Bill regulates data processed for law enforcement purposes. Fourthly, it covers data processed by the intelligence services.

There is no doubt in our minds that we have fully implemented the right to data protection in our law and gone further. Clause 2 is designed to provide additional reassurance. Not only will that be clear in the substance of the legislation, but it is on the face of the Bill. The Bill exists to protect individuals with regard to the processing of all personal data. I think this is common ground. We share Opposition Members’ concern for the protection of personal data. It must be processed lawfully, individuals have rights, and the Information Commissioner will enforce them.

New clause 12 creates a new and free-standing right, which is the source of our concern. Subsection (1) is not framed in the context of the Bill. It is a wider right, not constrained by the context of EU law. However, the main problem is that it is not necessary. It is not that we disagree with the thinking behind it, but it is not necessary and might have unforeseen consequences, which I will come to.

Article 6 of the treaty on European Union makes it clear that due regard must be had to the explanations of the charter when interpreting and applying the European charter of fundamental rights. The explanations to article 8 of the charter confirm that the right to data protection is based on the right to respect for private life in article 8 of the ECHR. The European Court of Human Rights has confirmed that article 8 of the ECHR encompasses personal data protection. The Government have absolutely no plans to withdraw from the European Court of Human Rights.

The new right in new clause 12 would create confusion if it had to be interpreted by a court. For rights set out in the Human Rights Act, there is a framework within which to operate. The Human Rights Act sets out the effect of a finding incompatible with rights. However, new clause 12 says nothing about the consequences of potential incompatibility with this new right to the protection of personal data.

Margot James

- Hansard -

Copy Link

- - Excerpts

That brings me on to my other point: not only does this roll-over, as the right hon. Gentleman puts it, threaten to create confusion and undermine other rights, but it is unnecessary. The charter of fundamental rights merely catalogues rights that already exist in EU law; it is not the source of those rights. The rights, including to data protection, which is, importantly, what we are here to debate, arise from treaties, EU legislation and case law. They do not arise from the European charter of fundamental rights, so we argue that the new clause is completely unnecessary.

Margot James

- Hansard -

Copy Link

- - Excerpts

The source of the rights that we are discussing are EU legislation and case law. Those rights will be protected in UK domestic law after we leave the European Union by the European Union (Withdrawal) Bill. We have fully protected the right to data protection in our law. We have considered new clause 12 carefully, and it creates a new right. As I said, the arguments are well rehearsed, which is why we created clause 2 with the agreement of the Opposition spokespeople in the House of Lords.

The Government are determined to ensure the future free flow of data when we leave the European Union. We have heard much about the importance of, and the need for, an adequacy agreement, and I agree with everybody who has spoken on that. The general consensus is that, to achieve that, we need to faithfully implement the GDPR, and avoid the courts finding parts of the GDPR potentially incompatible with a new right. If that happened, rather than enabling the free flow of data, we would risk undermining it.

Twelve countries have negotiated adequacy arrangements with the European Union, including Canada, Israel, Uruguay, New Zealand and the United States. None of those countries was obliged by the EU Commission to put the charter of fundamental rights into their law, so I think Members can rest assured that the new clause is entirely unnecessary to achieve adequacy on our departure.

Margot James

- Hansard -

Copy Link

- - Excerpts

I do not agree with the hon. Gentleman. I share his concern that we need to negotiate an adequacy agreement effectively; I am at one with him on that matter. For the reasons I have outlined, I do not believe that, if our clause is passed unamended, it will undermine that right when we come to negotiate an agreement. He made the point that those other countries are in a different position. They are already third countries in relation to us, and will be so when we leave. We will become a third country when we leave the European Union. I accept that the situation is different, but it puts us at an advantage. We are incorporating the GDPR in its entirety into UK legislation, and I assure the hon. Gentleman that we have that safeguard.

Future free flow of data is absolutely at the top of our agenda for the forthcoming EU negotiations. As I said earlier, my right hon. Friend the Prime Minister made that clear in her Mansion House speech two weeks ago. We want to secure an agreement with the EU that provides stability and confidence for EU and UK businesses and individuals, and ensures we achieve our aims of maintaining and developing the UK’s strong trading and economic links with the European Union.

Ultimately, as some Opposition Members said, importing text from the EU charter of fundamental rights is unnecessary. The general principles of EU law will be retained when we leave the EU via the European Union (Withdrawal) Bill for the purposes of the interpretation of the retained EU law. The GDPR will be retained. Indeed, the Bill will firmly entrench it in our law. The right to the protection of personal information is a general principle of EU law, and has been recognised as such since the 1960s. The withdrawal Bill requires our courts to interpret the GDPR consistently with the general principle reflected in article 8 and retained CJEU case law, so far as it is possible to do so.

Margot James

- Hansard -

Copy Link

- - Excerpts

The European Union (Withdrawal) Bill fully protects the rights to data protection in our law. As I said earlier, we are seeking not only adequacy after Brexit, but a continuing role in conjunction with the bodies in Europe that govern the GDPR, with the idea that we continue to contribute our expertise and benefit from theirs.

Liam Byrne

- Hansard -

Copy Link

- - Excerpts

I am afraid we have heard a very weak argument against new clause 12. The Minister sought to prosecute two lines of argument: first, that new clause 12 risks confusion in the courts; and, secondly, that it is not needed. Let me take each in turn.

First, there can be no risk of confusion because this is not a new right. It is a right we already enjoy today, and our courts are well practised in balancing it with the other rights we enjoy. We are simply seeking to roll over the status quo into the future to put beyond doubt an adequacy agreement not just in the immediate years after we leave the European Union but in the decades that will follow.

Secondly, the Minister sought to persuade us that the new clause was not needed, and she had a couple of different lines of attack. First, she said that the source of our new protections would be the incorporation of EU case law and legislation as enshrined by the European Union (Withdrawal) Bill. Of course, that is simply not applicable to this case, because the one significant part of European legislation that the withdrawal Bill explicitly does not incorporate is the European charter of fundamental rights. The Minister slightly gave the game away when she read out the line in her briefing note that said that the rights we currently have in EU law would be enshrined and protected “so far as it is possible to do so.” That is exactly the kind of risk we are seeking to guard against.

As noble peers argued in the other place, the challenge with incorporating the GDPR into British law is that this is a piece of regulation and legislation that reflects the world of technology as it is today. It is not the first bit of data protection legislation and it will not be the last. At some point in the years to come, there will be a successor piece of legislation to this Bill and the courts’ challenge will be to make judgments that interpret an increasingly outmoded and outdated piece of legislation. We have to ensure that judgments made in the British courts and in the European courts remain in lockstep. If we lose that lockstep, we will jeopardise the future of an adequacy agreement. That will be bad for Britain, bad for British businesses and bad for technology jobs in all our constituencies.

The challenge we have with regulating in this particular field is that sometimes we have to be anticipatory in the way we structure regulations. Anyone who has spent any time with the British FinTech industry, which Ministers are keen to try and enhance, grow and develop for the years to come, will know that FinTech providers need to be able to test and reform bits of regulation in conjunction not only with the Information Commissioner but with other regulators such as the Financial Conduct Authority. For those regulators to be able to guarantee a degree of regulatory certainty, sometimes they will need to look beyond the letter of a particular piece of legislation, such as the Data Protection Bill when it becomes an Act, and reflect on the spirit of that legislation. The spirit is captured best by fundamental rights. The challenge we have is in the thousands of decisions that our regulators must take in the future. How do we put beyond doubt or dispute the preservation of regulatory lockstep with our single most important market next door?

The Uruguayan defence offered by the Minister will reassure few people. We should not be aspiring to the Uruguayan regime; we should be aspiring to something much deeper, more substantive and more harmonious. The Minister’s proposal will create a field day for lawyers. We all like lawyers; some of our Committee members are former lawyers—recovering lawyers in some cases. Lawyers should enjoy a profitable and successful future, but we in this House do not necessarily need to maximise their profit-making possibilities in the future. However, that is exactly what the Minister is doing by creating a pot pourri of legislation, which lawyers and judges will have to pick their way through. It is much simpler, much lower-risk, much safer and better for economic growth if we put beyond doubt, dispute and question the harmonisation of our data protection regime with our single most important market. That is why we need to incorporate article 8.

Liam Byrne

- Hansard -

Copy Link

- - Excerpts

My hon. Friend is right. He speaks with tremendous knowledge on this particular subject. There is a real risk that one of our most important industries will have its foundations wrecked by the inadequacies of this piece of legislation. There is no risk of confusion, there is no creation of a new and unchecked, unfettered right. We can draw no comfort from the EU (Withdrawal) Bill. There is a great risk of regulatory confusion and divergence over the years to come. I simply cannot understand why the Government would seek to put dogma and not the future protection of the British technology industry first.

This is not a trivial or frivolous issue; it has been put forward by the industry association representing half of technology jobs in this country. I hope that the Committee is persuaded by these arguments. We will seek to prosecute these arguments in a vote, at your discretion, Mr Hanson, but I hope that before we get to that point, the Government will see sense and accept the amendment.

Margot James

- Hansard -

Copy Link

- - Excerpts

I support the general tone of the right hon. Gentleman’s comments. I too was pleased to see the interview with the Secretary of State, his focus on the addictive nature of some of these apps and the idea that there could be within the technology a means of limiting the time children spend on them, which parents could click on. The Information Commissioner’s Office will publish guidance shortly on how clause 9 will work and what those safeguards will be. She will take into consideration an age-appropriate design, as suggested by Baroness Kidron.

Overall, where online services referred to in the Bill as “information society services” choose to rely on consent as the basis for their processing, article 8 of the GDPR sets the age below which a website must obtain the parents’ and not the child’s consent. Most websites will be captured by this additional safeguard, ranging from online banking to search engines to social media, with social media probably being the most relevant to the age group in question.

The GDPR gives member states the flexibility to set this age within a prescribed range of between 13 and 16. The Bill sets it at 13, with an exception for preventive and counselling services, for which the test is based purely on the child’s capacity to understand what they are being asked to consent to. The Government are satisfied that the Information Commissioner’s Office has adequate enforcement powers, including large fines for any offences committed in this area.

Margot James

- Hansard -

Copy Link

- - Excerpts

The hon. Gentleman is right that the GDPR stipulates 16 as the minimum age for consenting to data processing without parental consent, but that it provides for member states to derogate from that. At least seven, including Spain, Ireland and Denmark, have done just that. Like us, they have proposed a much younger age of 13, so we are not an outlier on the issue.

Currently, the minimum age in this country for allowing personal data to be used without parental consent is 12, so in a sense we are derogating from that policy by setting the minimum age at 13 in the Bill. The hon. Gentleman is right to point out that it is very difficult for technology companies to implement meaningful verification mechanisms for those younger than 18, who may not have anything like a credit card or driving licence. I have no doubt that the Government will keep an open mind on the matter, in line with other developments that will take place long after the Bill is passed.

Question put and agreed to.

Clause 9 accordingly ordered to stand part of the Bill.

Clause 10

Special categories of personal data and criminal convictions etc data

Margot James

- Hansard -

Copy Link

- - Excerpts

It does happen. That is not a new provision, but one that was imported from the current law. Unfortunately, some crucial words were accidentally lost in the process of importing it. The amendment reinstates them.

Schedule 1 sets out UK domestic legislation to allow the processing of particularly sensitive data in certain circumstances. The Government’s view is that the processing of such data must be undertaken with adequate and appropriate safeguards to ensure that individuals’ most sensitive data is appropriately protected. One of those safeguards is the new requirement for an appropriate policy document to be maintained in most circumstances when special categories of data and criminal convictions data are processed. That is set out in paragraph 5 and part 4 of the schedule.

Since the Bill’s introduction, we have reflected on whether there are cases where the requirement to hold an appropriate policy document is so disproportionate that, rather than improving protections, it effectively prevents the necessary processing from taking place. Amendments 79, 82 and 90 remove the requirement for a controller to have an appropriate policy document where processing involves the disclosure of special category data to a competent authority for the detection or prevention of an unlawful act, the disclosure of special category data for specific purposes in connection with journalism, or the disclosure of special category data to an anti-doping authority. Amendment 80 defines what is meant by “competent authority”. The aim of those amendments is to avoid a scenario in which an individual who never normally processes data under schedule 1 wishes to report a crime, report something of public interest to the media or report doping activities in sport and, in so doing, processes special categories of data and would have to have in place an appropriate policy document.

Amendment 76 reflects that change to the requirement to have an appropriate policy document by inserting the words, “Except as otherwise provided” in paragraph 5 of the schedule. Amendments 87 and 89 make it clear that, in the context of schedule 1, “withholding consent” means doing something purposeful, not just neglecting to reply to a letter from the data controller. That avoids a world in which data controllers have an incentive not to bother requesting consent in the first place.

Paragraph 31 of the schedule requires the controller to have an appropriate policy document in place when relying on a processing condition in part 2 of the schedule to process criminal convictions data. However, all the provisions in part 2 are subject to the policy document requirement except where noted, so there is no reason to state it again in paragraph 31. Amendment 91 removes that duplicate requirement. It is simply a tidying-up amendment to improve the coherence of the Bill.

The Chair

- Hansard -

Copy Link

That is indeed a point of order. The record will show that the hon. Gentleman has now declared his interest in relation to his contributions to the debate.

Ordered, That the debate be now adjourned.—(Nigel Adams.)