Leaving the EU: Data Protection Debate
Full Debate: Read Full DebateJim Shannon
Main Page: Jim Shannon (Democratic Unionist Party - Strangford)Department Debates - View all Jim Shannon's debates with the Department for Digital, Culture, Media & Sport
(7 years, 1 month ago)
Commons ChamberI congratulate the hon. Member for Warwick and Leamington (Matt Western) on an incredible speech. It is always a pleasure to listen to Members’ maiden speeches, and I enjoyed his as well. I am not sure I will go to Leamington Spa for my holidays, but none the less I was greatly intrigued by his presentation.
It is hard to pick up a newspaper, listen to the radio or follow the news today without hearing about Brexit and its impact on the UK. Normally when there is good news, it is presented as being in spite of Brexit. That kind of rhetoric is not helpful. The fact is that a majority of 17.4 million people, of whom I was one, voted to leave the EU. A majority of my constituents voted to leave as well. We are now upholding that decision, as is only right in a democratic society. Of course, it is right and proper, as we are doing today, to discuss the implications and solutions surrounding the decision and to recognise the opportunities that Brexit can bring for the people of the United Kingdom of Great Britain and Northern Ireland.
In July, the House of Lords European Union Committee examined the impact that Brexit would have on data protection in the UK. At the time, the conclusion was that there was a lack of detail about how the Government would maintain the flow of data post Brexit, as others have said. Under the EU’s data protection framework, a country outside the EU and EEA is classed as a third country, and personal data can be transferred to a third country only where adequate protection is guaranteed. Since the Lords Select Committee published its findings, the Prime Minister has announced a transitional period after the UK leaves the EU in March 2019, meaning that we can safely secure an adequacy decision from the European Commission. Since the Government have continually stressed their desire to secure the unhindered flow of data between the UK and the EU post Brexit, that seems a very desirable solution. I believe it is one that everyone in this House—everyone who has participated in this debate and those who have not—would want to see.
Regardless of Brexit, it is important to remember that we are already experiencing a change in our data protection laws. The Queen’s Speech included plans to secure a data protection framework that is suitable for a new digital age. Unsurprisingly, the way in which data is used and processed has changed significantly since 1995. The purpose of the new Bill will be to implement the general data protection regulation. Research shows that some 80% of people feel that they do not have complete control over their data online. The Information Commissioner’s Office, the data protection regulator, will also be given more power to defend consumer interests and issue higher fines. Implementing the GDPR, which the UK is due to do on 25 May 2018, will ensure that the UK meets its obligations while remaining an EU member state, but it will also help to put us in the best position to maintain our ability to share data with the EU and internationally when we leave. Given that more than 70% of all trade in services is enabled by data flows, it is not surprising that data protection is so critical to international trade.
There is a lot of doom and gloom among some sections in this House and also outside, but it is important to remember how successful the UK is, particularly in data protection—something that I am confident will improve even further with the new Data Protection Bill, as I am sure the Minister will confirm in his summing up. The UK is one of the leading drivers of high data protection standards across the globe. Data flows are important for both the UK and EU economies and for wider co-operation, including in law enforcement. I think we can all agree that it is vital for keeping our countries safe, which is a critical factor.
In 2015, the EU data economy was estimated to be worth €272 billion, which is around 2% of EU GDP. Estimates suggest that its value could rise to €643 billion by 2020, or more than 3% of GDP, although this is subject to legal and policy frameworks being put in place. Estimates suggest that around 43% of all EU digital companies are started in the UK and that 75% of the UK’s cross-border data flows are with EU countries. Analysis indicates that the UK has the largest internet economy as a percentage of GDP of all the G20 countries and has an economy dominated by service sectors, in which data and data flows are increasingly vital. The UK accounted for 11.5% of global cross-border data flows in 2015, compared with 3.9% of global GDP, but the value of data flows to the wider economy is even greater. Surely these statistics are evidence of the need to continue and secure the flow of data between both the EU and the UK.
The GDPR has a number of provisions, including the transfer of personal data to third countries and international organisations. To that end, it puts the Commission in charge of assessing the level of protection given by a territory or processing sector in a third country. Achieving an adequacy decision from the European Commission, while completely possible, is not guaranteed —other Members have also put questions about that. For example, Canada has been approved for only certain types of personal data. If for whatever reason the UK’s laws are not considered to meet the adequacy standard, businesses in the UK would be subject to the same restrictions that currently apply to data transfers from the EU to the US. Surely early certainty about how we can extend the current provisions, alongside an agreed negotiating timeline for longer-term arrangements, will give businesses on both sides certainty for the future. I understand that everyone wants to secure an agreement on data sharing with the European Union as quickly as possible, but will the Minister clarify the Government’s position on what will happen if we do not achieve approval from the Commission?
I want to conclude with some remarks about Northern Ireland, because it is important to get this on the record. We are all aware in this House of the special case that those of us in Northern Ireland find ourselves in. We are the only part of the United Kingdom that will share a land border with an EU member state. As with many other things, specific thought will need to be given to the impact of data protection matters not only in Northern Ireland, but across the whole United Kingdom. For example, if for whatever reason we are unable to secure an agreement or an adequacy decision, any Irish company with a UK base will find itself in a difficult position, which could have implications for us in Northern Ireland.
Earlier this year, KPMG considered this issue and found that where an Irish company has a UK-based operation and holds, for example, payroll data about Irish or other EU nationals in that UK base, it may need to start considering whether it relocates that base to another EU state. Alternatively, the company may instead have to adopt standards compatible with the new EU rules, such as binding corporate rules. Otherwise, unless and until the UK receives Commission approval, or some form of bilateral agreement is reached, any transfers of payroll data from Ireland to the UK post Brexit will fall foul of the GDPR. It is also worth noting that any company that is found to have transferred payroll data in breach of the GDPR may be subject to a fine amounting to 4% of its global turnover, or €20 million. If a company had offices in Dublin and Belfast or Dublin and London, for example, that could—or would—present a significant problem.
When it comes to our joint security, sharing personal data is essential for our wider co-operation in the fight against serious crime and terrorism. Between October 2014 and September 2015, the UK Financial Intelligence Unit received 1,566 requests from international partners for financial intelligence, at least 800 of which came from EU member states. The UK is instrumental in contributing high-quality information, analysis and expertise in areas such as passenger data and financial intelligence. It also gains considerable benefit from the information provided by other member states in bringing criminals to justice within its own borders.
Data-sharing is a vital part of our counter-terrorism strategies. The Europol website recognises the importance of working not only with the EU but with its international partners. It points out that
“organised crime does not stop at international borders…it is also essential to have cooperation initiatives with… non-EU States and international organisations”.
That makes clear the shared understanding that keeping our countries safe is widely accepted as being non-negotiable, both within Europe and internationally.
Often, when we consider threats of terrorism, we look at the physical attacks, but while that cannot and must never be overlooked, we must also consider the way in which the use of data is changing. It is changing continually; it is changing as we sit here. As it becomes more sophisticated, the number of cyber-threats from state and non-state actors increase, and those threats do not respect borders. Earlier this year, the WannaCry ransomware infections caused thousands of simultaneous cyber-attacks to be recorded across the globe, affecting more than 100 countries in a co-ordinated breach of IT systems in both private and public sector bodies. As technologies evolve and cyber-threats grow, it is vital that law enforcement keeps pace and develops capabilities to stay ahead of attackers whom we must work together with our European and international partners to defeat.
As has already been mentioned, the increasingly international, borderless nature of criminal activity makes the swift and efficient availability of data essential to modern law enforcement. The ability of law enforcement agencies to conduct point-to-point data exchange is critical to developing lines of inquiry, identifying suspects, and taking appropriate action.
I will end my speech now, because I have been told by the Whips to conform to a certain time. I appreciate that I have covered a number of topics—as have all the other speakers—but I think we can all agree on the importance of securing an agreement with the European Union, so that we can continue to share data in the same way as we do now. That will ensure that businesses in the UK, and those from EU states with UK bases, can operate as they have done previously. It will also enable our countries to continue to co-operate in vitally important areas, sharing data and information in the fight against terrorism and criminality.
I look forward to hearing the Minister’s comments. As a Brexiteer, I am sure that we are moving forward in a constructive and positive way.