Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 Debate
Full Debate: Read Full DebateLord Adonis
Main Page: Lord Adonis (Labour - Life peer)Department Debates - View all Lord Adonis's debates with the Department for Digital, Culture, Media & Sport
(5 years, 10 months ago)
Lords ChamberMy Lords, if the Minister will forgive me, this is a crucial issue in what is going to happen. Where there is a data controller outside the United Kingdom in a no-deal scenario, will there be a requirement for it to have a representative inside the United Kingdom to replicate the existing EU arrangement? It was not clear from what the Minister has just said whether that will be an absolute requirement.
If they fulfil those conditions that I mentioned, the answer is yes.
I would like to touch on what our exit from the EU might mean for the applied GDPR, as provided for by Chapter 3 of Part 2 of the Data Protection Act 2018. Noble Lords will recall that we created a separate regime which provides for broadly equivalent standards to the GDPR to apply to processing activities that are outside the scope of EU law and covered by neither Part 3 nor 4 of the Act, which deal with processing by law enforcement and intelligence services respectively. This regime currently applies, for example, where a controller other than the intelligence services is processing for national security or defence purposes.
As the EU GDPR will not, as a matter of domestic law, apply directly to any general processing activities when we leave the EU, these regulations are intended to simplify matters by providing for a single regime for all general processing activities. Those provisions in the 2018 Act that provide for the applied GDPR, together with other references to the applied GDPR in legislation, are removed. Importantly, the provisions in the applied GDPR which currently provide exemptions from specified provisions where these are required for the purposes of safeguarding national security or for defence purposes have been retained in the merged regime. These exemptions balance the need to protect personal data against ensuring that the UK’s security and intelligence community can continue to carry out its vital work to safeguard national security. I should emphasise that the merger does not itself alter the purview of EU law so where aspects of domestic data protection law were outside EU competence before exit day, this will not change as a result of this instrument. We have included provisions in the regulations to make that point clear.
I believe that the approach the Government are taking is an appropriate way of addressing the deficiencies in domestic data protection laws resulting from the UK leaving the EU. The aim of these regulations is to ensure continuity for data subjects, controllers and processors by maintaining the same data protection standards that currently exist under the GDPR and the Data Protection Act 2018.
My remarks have focused on the changes made to the GDPR and the Data Protection Act because they are the most significant. For completeness, I should add that the regulations make a number of minor amendments to other legislation, consequential on the amendments we are making to the UK GDPR and Data Protection Act 2018. For example, they amend references to the “GDPR” in other legislation to refer to the “UK GDPR”.
They also address a small number of non-exit-related issues. They clarify that the GDPR definition of consent applies for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and address two minor drafting issues that were identified in Schedule 19 to the Data Protection Act 2018, shortly before it received Royal Assent. I commend these regulations to the House
The Minister never said anything about difficult foreigners, but there has always been the impression that this would all be as smooth as smooth. “Do they not understand that we are trying to be helpful?”, we ask, when we have caused Europe so much disruption and cost by this act. In this case, it is essential that we are part of the ongoing dialogue. This GDPR is not the end of the process. As the House was discussing last week, these European laws are going to develop. How we then act and deal with them is going to affect where jurisdiction lies—with European or British courts.
The noble Lord has raised a litany of concerns about the GDPR regime after Brexit and cited a number of people who briefed him about it, including QCs and Members of the European Parliament. However, he will have noticed that there has been no public consultation at all on these regulations. There has been no opportunity for people directly affected to publicly brief us. Does he share my concern about that? Would he like to comment on the process of public consultation on these regulations?
It is, of course, a farce. These regulations are all being rushed through at the last minute and we know that we have to put them in place as the cliff edge approaches.
I do not want to be rude to Fieldfisher, because it provided some excellent briefing but, my God, the lawyers must be rubbing their hands at the cornucopia that is going to be tipped out to them as companies and individuals try to make sense of the reality. Whether we get a deal, or fall out, it will be a jagged, uncertain, unclear leaving.
My Lords, the noble Baroness, Lady Ludford, has raised some important points. It is totally unjustifiable that there is no impact assessment for this regulation; I hope that the Minister will address and explain that. The noble Baroness also made an important point about the way that data adequacy will be assessed if we are outside the EU, particularly in a no-deal scenario.
I will extend that to cover my perennial theme of consultation. No issue affects businesses and individuals across the country more than data. Indeed, we went through the whole GDPR exercise precisely because this is so central to our individual and community life. The fact that there has been no consultation at all on this regulation seems truly indefensible, so I hope that the Minister will say why that has been the case. The noble Lord, Lord McNally, said that data is now the new oil. He is absolutely right; it is as important to the functioning of our economy and our society as energy—it is a form of energy—and there clearly should have been consultation. Can the Minister say why there was no consultation? I assume that he will tell us again that there was no time, which begs the question of why we are going through this no-deal process at all if there is not time to conduct the normal processes of government in respect of it.
As ever, there is a bizarre twist to the statement on consultation. Paragraph 10 of the Explanatory Memorandum states:
“The government has not consulted publicly on this instrument”.
I presume that that means that they have consulted privately, and the House needs to know who has been consulted privately. The only body mentioned in paragraph 10 is the Information Commissioner’s Office, with which, it states, the regulation has been developed in consultation. Who else has been consulted privately and what were the selection criteria? Since the regulation was published, there have been representations. What representations have been made to the Minister’s department and what was their content?
The noble Baroness, Lady Ludford, also raised the issue of trying to assess the impact. Again we have doublespeak in respect of the regulations. We are told that their literal interpretation means that there is no further impact over and above the operation of existing European law. However, that is after, in the words of the White Queen in Alice in Wonderland, you have believed six impossible things before breakfast. Paragraph 12, entitled, “Impact”, states:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”,
but concludes:
“Data flows from the EEA to the UK may be restricted post-exit, but that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
It is impossible to separate the instrument from the fact that we are leaving the EU. The noble Baroness put her finger on a very important point, which is that if we leave the EU with a deal on the basis recommended by the Prime Minister, the impact might be radically different from that envisaged under the instrument, for two reasons. First, there will be a transition period in which nothing changes but, secondly, the political declaration heralds negotiations on a whole set of issues, including trade and data flows, which might well lead to our continuing in the existing GDPR regime. So the last sentence of paragraph 12 is not true. It is not true to say that the issue of data flows and the regulation of data is dependent on the UK leaving the EU, not as a result of the instrument. There is a crucial difference between leaving the EU with a deal—in particular, with a deal that maintains the status quo—and without a deal.
When the noble Lord, Lord McNally, cited one of his expensive lawyers, who had suggested that there may be additional complexity—
I was not suggesting that they were his personal expensive lawyers, just expensive lawyers who have chosen to brief him; I know that he could not possibly afford expensive lawyers. When he said that it depends on what happens as time goes on, he put his finger on a very important point. The whole point of no deal, with a separate regime under our ICO, is that we could quite quickly find ourselves diverging, and as we diverge, that will quickly impose burdens over and above those that would apply even if we left the EU with a deal.
I am also not sure it is true to say that there would be no burdens as a result of the regulations even at the outset. I am a lay man in this business, and trying to understand what is going on is very difficult, particularly because there has been no consultation and we do not have the opportunity to assess what people who are expert and directly affected have said. The reason I intervened on the Minister in his opening remarks is that, having been a company director who has had to deal with the implementation of the GDPR, I know that having a representative dealing with data matters inside the EEA is very important. Many companies have offshored a lot of their data-control activities, and the requirement of the GDPR that they must have a representative inside the EEA—which I think is the correct thing to do—is a definite burden. It means that companies not only have to employ additional individuals but have to set up additional offices, in essence, to cope with those flows in many cases, particularly if they are dealing with significant data-handling exercises which are outside the EEA at the moment. This happens all the time with call centres in India; many companies are in this territory.
My understanding of what the Minister said in our earlier exchange is that if we leave with no deal and therefore must set up our own UK data-monitoring regime immediately, there will be a requirement for every company operating outside the EEA—which must, under the GDPR, have a representative inside the EEA—to have a representative in the United Kingdom. I would be grateful if the Minister could confirm that because if it is true, that is an immediate and potentially significant burden.
The other important point is that people need to understand that these arrangements are reciprocal. One reason why we as a country have such a good services industry is that a lot of companies based in the UK do substantial business in the EEA and beyond. That is great. My assumption, although it is not spelled out in the Explanatory Memorandum, is that in a no-deal scenario, data controllers who are based in the UK but do substantial business in the EEA will be required by the European Union to have representatives in the European Union over and above their data controllers in the UK; these are not currently needed. I would be grateful if the Minister could address that point. This flows logically from the new regime being set up. I would be astonished if that is not the case because I do not think that the European Union would regard having a data controller in the United Kingdom as meeting its standards of data adequacy. I would be grateful if the Minister could confirm that.
On that point, it is apparent that this immediately imposes a burden, potentially a significant one, on every company that handles data in the European Union or the EEA, as opposed to just in the UK. That represents a substantial proportion of our companies. If we had had an impact assessment, as the noble Baroness, Lady Ludford, suggested, this issue would have been brought out and we would know its effect. If there had been public consultation, we would know, but there has been none—and we have had no impact assessment. To my surprise, the Select Committees of this House that oversee instruments and put them to us have not raised these issues, which seem substantial and should have been raised before these instruments came to this House.
I think my noble friend has not quite got it. I assure him that, as the noble Lord, Lord Cunningham, said earlier, Sub-Committee B is in the process of sending a letter to the Treasury complaining about the national policy it laid down on not having impact assessments for these instruments. Every week, we are seeing dozens of instruments with references to both informal consultation and none, but now it has been picked up that there is a national policy not to have impact assessments.
Is my noble friend saying that the Select Committee did raise these concerns?
Yes. As I speak, a letter is winging its way from Sub-Committee B to the Treasury. It was agreed at our meeting last week, the committee having discussed it in previous weeks.
That raises the issue of why that is not in any of the information before your Lordships. I was not aware of that at all. It is not flagged up in any of the documentation. Like other noble Lords, I appreciate hugely the work done by our Select Committees but the committee’s view is not always completely clear to the House when these instruments come before it, unless the committee has issued a formal report. We do not get full value from our Select Committees in the way that their work is presented. For instance, I am surprised that the chairs of these Select Committees do not comment on these instruments based on the committees’ work. I see that one of the chairs is sitting opposite; perhaps he would like to intervene.
All I can say at the moment is that the letter to which the noble Lord, Lord Rooker, referred has not gone quite yet.
My Lords, I appear to be flushing out an important dispute that is taking place between the chairs of Sub-Committee A and Sub-Committee B.
I have to say that this for me is a black box. Because of my other duties I have not been able to spend time analysing what is going on in Sub-Committees A and B, but this is very important because hundreds of these instruments are coming to us.
I turn to the issue of there being no consultation, which my noble friend Lord Rooker referred to. I have been going on about it for weeks. This has been true of every single no-deal instrument that has come to your Lordships. It is deeply and profoundly unsatisfactory. In my view this ought to have been flagged up for each of these instruments from the beginning and ought to have been a reason for them not to come before the House. How can we possibly conduct the proper business of the nation in terms of changing the law when we do not have any public consultation with any of the sectors that are affected by these instruments? We are dependent on the expensive lawyers of the noble Lord, Lord McNally, even to spell out the most basic features of these regulations—which, first, will not be apparent to those of us who are lay people and, secondly, which those people who are affected have had no opportunity to present except through the agency of expensive lawyers who seek to make a living. Of course, the expensive lawyers referred to by the noble Lord, Lord McNally, will now advertise their wares to companies, telling them what the impact of these things is going to be because they did not have a chance to engage with them earlier and make their views known, particularly if they start being adversely affected.
My Lords, I never described them as expensive lawyers—otherwise they might never write to me again. I said that they were distinguished lawyers.
Perhaps I misheard the noble Lord—we will call them distinguished lawyers.
However, there is a dispute going on between the chairs of Sub-Committee A and Sub-Committee B. I do not know how these disputes are resolved. Do they come to the House? Perhaps they should come to the House.
My Lords, I can assure both noble Lords, Lord Adonis and Lord Rooker, that agreement is very close.
My Lords, I hope that it is close, because meanwhile we have another seven of these instruments to consider today and the whole of the Order Paper for Wednesday has, I think, another dozen of them. We also have hundreds more coming next week. Perhaps I may say to the noble Lord that I hope that this can be resolved extremely quickly and that we can find a satisfactory way forward, because the issue of the lack of impact assessments seems to be entirely arbitrary. We have some on the later instruments that will be introduced by the noble Lord, Lord Bates, but there are none on these. However, no formal consultation has been carried out on any of the instruments.
I have some fear that I will raise the noble Lord’s blood pressure even higher, but if he takes a look at the impact assessments that are provided, I think that he will be shocked by their inadequacy. They do not move us very far on from having no impact assessment at all.
My Lords, I do not think that it is possible for my blood pressure to be higher on these matters. However, I hope that the blood pressure of the House is high, because we are supposed to be legislating on behalf of the country, and the proceedings of your Lordships in respect of these no-deal statutory instruments are an absolute farce. I do not think that the procedures of the House are working well. The fact is that the two chairs of our relevant sub-committees cannot even agree on a letter to send to the Treasury in respect of the handling of consultation. The fact that it is about six months after we started getting the initial flow of statutory instruments on this matter coming to the House is in itself deeply unsatisfactory and is not a good commentary on the way our parliamentary proceedings are working. Moreover, the fact is that what we get are bromides from the Government that there is no change, based on there being no impact assessments, no consultation and a complete misreading of what the situation is in any event, because it involves a denial of all of the negative consequences that will flow from leaving the European Union, which of course is the underlying fact that they should be grappling with in the first place when conducting consultations and impact assessments. It is deeply unsatisfactory.
The right thing for this House to do would be to reject these instruments. We should not be a party to such an abuse of our constitutional procedures as is taking place with these no-deal instruments. What we will be faced with, though—I feel this pressure myself—is that we could crash out of the European Union in an unconscionable act of misgovernment in the course of five weeks’ time, so we have to do our level best to ensure at least that there is a statute book in place for that eventuality. But I and other noble Lords want to put on the record that the situation we are faced with, and which gets worse with every debate that flushes out more facts about what is actually happening, is a complete abuse of our constitutional procedures.
That last point is very important. Somebody pointed out the other day that one day there will be a full judicial inquiry into how this process has been carried through. Ministers and civil servants should be aware that one day there will be accountability for the way this has been done.
The noble Lord is right, but I do not think that that day is far off; I think it will come soon. Let us be clear: we are not talking about a natural disaster. As a Minister, I often had to deal with those. When there are ash clouds and volcanoes erupt, you have to take very difficult and extreme decisions at short notice. Here we are talking about an act which the Government are inflicting on the country, with no external agency whatever. Not only that, but the Government could this afternoon terminate the situation we are faced with, in respect of these no-deal regulations, by the Prime Minister announcing that she is not proceeding with no deal and that she will, on behalf of the United Kingdom, submit a request to extend Article 50—or, as we now know she can do from the judgments of the European court, rescind it unilaterally. This will be a big matter for the public inquiry that the noble Lord, Lord McNally, is referring to. All the consequences of this no-deal situation are caused by the Government, and the remedy for them is entirely at the disposal of the Government. It is our absolute duty to point this out all the way through this process, so that at least some of us in the parliamentary system can point to the fact that we did our level best not to take the nation to the edge of the cliff where we are now at.
Coming back to this instrument, it is totally unacceptable that we are dealing with such an important set of regulations relating to the fundamental issue of data and data protection and there has been neither an impact assessment nor any public consultation.
My Lords, I asked the Minister about the state of play on an adequacy decision. I am told that the Minister in the other place, Margot James, confirmed a few weeks ago not only that those discussions can start—at least formally—only after the UK leaves the EU, but that they would take two years; that was her estimate. So that multiplies the gravity of having no impact assessment; if we crash out without a deal, we will have a legal void for a long time.
The noble Baroness raises a very important question, to which the Minister should respond: how long will it take to consider this? Noble Lords who woke up to the “Today” programme this morning will have been astonished to find that Dr Liam Fox and the Foreign Secretary had written to the Japanese Prime Minister telling him to get a move on in signing a trade deal with Britain—as if we, because we are putting ourselves in a position of great jeopardy and undermining existing international agreements in five weeks, can now start instructing foreign Governments on the timescales in which they should conduct international negotiations. This is utterly humiliating to us as a country. It is a fundamental breach of the proper conduct of public affairs. What the noble Baroness said about it taking another two years even to get the basis of data adequacy agreements with the EU, because of our act of withdrawing from the European Union, simply underlines the point.
My Lords, in the middle of all that I shall provide a still, small voice of calm for a moment—perhaps—in keen anticipation of the response of the Minister, who will have to orchestrate the energies that have been released and deal with the blood pressure of my noble friend Lord Adonis.
I have looked at this statutory instrument. I can see 65 pages of intricate cross-stitching, as an untold number of lawyers for untold numbers of hours have pored over pieces of legislation, harmonised what can be harmonised, tweaked what can be tweaked and produced at the end an unreadable pastiche, leaving us reliant on the Explanatory Memorandum. As I sat at my kitchen table on the sunniest weekend we have had this year so far, with pieces of legislation spread out all around me, there was no other method available to me.
I read of changes to the GDPR and the law enforcement directive,
“over which our Information Commissioner’s Office and UK civil servants have had considerable influence”.—[Official Report, Commons, Sixteenth Delegated Legislation Committee, 14/2/19; col. 1.]
That we, once among the architects of how we handle our data as a continent, should now be in the position we are in is a great sadness. I would say the same thing for the European Court of Justice, which we had a formative contribution in shaping. That we are arguing these points in this way is a dreadful place to be.
I echo what has been said to my left and to my right about reciprocity, adequacy and all that. At the moment of leaving, we will, I suppose, accept the remaining members of the European Union as having passed the adequacy test. Indeed, through the Privacy Shield scheme in the United States, we will offer that sense of adequacy even beyond Europe. But, as has been said, the negotiations to have some reciprocity and adequacy expressed for our own case will take an indeterminate time—two years has been mentioned, and the Minister will respond to that in due course. It seems such a strangely asymmetrical presentation of these important facts. I want to ask, as others have done: is it true that the assessment of adequacy for the United Kingdom might take as long as that?
In his opening remarks, the Minister mentioned that, at such-and-such an item in the political agreement, there is reference to the urgency with which certain of these things must happen. Perhaps he will excuse my ignorance on this point, but, if there is no deal, is there no deal in respect of the deal and of the political agreement? If so, the item he referred to falls, as indeed does the deal.
The noble Lord, Lord Balfe, made a speech last week on what happens once you have reached a fixed point, which has again been hinted at in this debate. At the moment, all we are talking about is something that will come to pass on a particular date, just five weeks away, at which point things should square up with each other. But what happens in the two years it will take for adequacy for us to be granted by the negotiating process that will then begin? What happens if decisions about how to act in the area of the management of data begin to diverge? It is not a fixed position. What mechanisms do we have to handle a shifting scene?
My noble friend Lord Adonis mentioned Japan. It did not come into the picture because, at the time this statutory instrument was written, something was happening that had not yet been brought to a conclusion. But we now know what the conclusion is, and we see that Japan will be a much more difficult case to crack than we had thought. Once again, we are in a bad place.
Without a deal—or even, it seems, with one—the ICO will no longer sit on the European Data Protection Board. The noble Lord, Lord McNally, referred to the loneliness of the Norwegian, and it is worth emphasising that all over again. It will be a dreadful thing for us to send our top person to such discussions and have her sit out and have no real practical influence—this is the United Kingdom we are talking about—nor will she be able to participate in the GDPR’s one-stop shop mechanism. This is another terrible place to put her. How should we feel about this? I think it is important.
Incidentally, I see why there is no impact assessment or public consultation: all the people who might have been available to harness such an impact assessment or consultation have been disentangling laws and working as drones to put this SI together. I cannot feel that we are doing anything that any of us would be other than ashamed about with the passage of time.
On the age at which consent is deemed to have been given, are the Government, in opting for 13—there was a spread of ages between 13 and 16 when we considered the Data Protection Bill last year—achieving by secondary legislation what we were reluctant to do just a year ago with the primary legislation? What is our duty of care in such circumstances?
I agree. That is why the Government are making all efforts to secure a deal. We agree that a deal is the best situation for the country. We are at one with that.
In answer to the noble Baroness, I will start with something which is my responsibility—the legislation.gov.uk website provided by the National Archives. I will take up the matter with it. I am told that it may be helpful to search for “draft statutory instruments” rather than “statutory instruments”. I certainly listened to what she said about the website not working and will check what we need to do.
The noble Baroness, the noble Lord, Lord Adonis, and others talked about the impact assessment and asked why it has not been published. The impact of this instrument, not the impact of leaving the EU, was assessed in line with standard practice following the existing Better Regulation framework. It is focused on the direct impact of the relevant SI compared with the current legislation. The whole point of this SI is to maintain an equivalent regulatory framework to protect personal data. The noble Lord, Lord Adonis, quite rightly pointed out that it affects not only UK businesses but mostly EU and EEA businesses, which will have to have representatives in this country, and I will come to that. It is a reciprocal arrangement. If these regulations come into force and we have a UK GDPR, the same necessity for representatives will take place both ways, and I will come to that.
The analysis, to the best of the Government’s ability, of the wider impact of the UK’s exit from the EU was published in the Long-term Economic Analysis in November last year. The noble Lord, Lord Adonis, talked about representatives and Article 27. He is correct that data controllers who offer goods and services to or monitor the behaviour of data subjects in the UK will need to appoint a representative in the UK, but that is a cost to non-UK businesses, which is what the impact assessment is meant to address. He is also correct that there will be organisations in the UK that will be required as a matter of EU law to appoint a representative in the EEA. The ICO provides data controllers with advice on this obligation and will continue to do so. If controllers and processors based abroad are routinely processing data, it is right that they should be accountable in the UK and have a presence here because this is about maintaining the status quo as far as possible, not about rolling back protections for individuals, so the representative is a point of contact for the data subject as well as the supervisory authorities, such as the Information Commissioner.
I understand that the Minister is saying that my supposition is correct that after a no-deal Brexit a UK data controller doing business in the EEA will have to have a representative in the EEA as well as in the UK because this will be a reciprocal obligation—the Minister is nodding, so he agrees. The key point is that that is a significant burden on businesses. There is no way of getting away from it. That is a new and significant burden on UK businesses as a result of the regime put in place by this instrument, so why is it not flagged up in the Explanatory Memorandum to this order? Indeed, to take up the point made by my noble friend Lord Rooker, why did our Select Committees not point this out in their analysis of this instrument? My reading is that this is going to be a burden on a very substantial proportion of businesses which conduct business that involves data. Therefore almost all of them that do business on the continent will be required to have a representative on the continent for GDPR purposes which they do not have to do now and will not have to do if there is a deal because we would have continuity of the existing GDPR arrangements.
It is true that they may be required to have representatives in the EEA, and it is a reciprocal benefit. The impact assessment looks at the specific requirements of the SI, not at the requirements of leaving the EU. The long-term consequences for business—
I thank the noble Lord for his view. It is clearly not for me to promise a Statement to the House. As I said before, I will agree to take back what he said and put both interventions to the House authorities. They may or may not agree. If they do not, I am sure that he will be able to raise it in an appropriate forum direct with the usual channels—both via his own Chief Whip and also directly with the Leader of the House and our Chief Whip. However, it is not appropriate, in considering an SI, to move beyond that to the wider method used by the House to address statutory instruments. Ministers certainly feel that they have been scrutinised considerably. I do not see that the noble Lord, or others who have spoken on this, are suffering from a lack of information with which to scrutinise these statutory instruments; they seem to be scrutinising fairly effectively as far as I can tell.
My response to the point made by the noble Lord, Lord Adonis, about the effect of representatives on business, is that the need to have a representative in the EEA is not as a result of this statutory instrument—it is as a result of EU law. Therefore, as I said before, the fact that we will no longer be part of the EU means that EU law will apply to us as a third country; until now, we have not been a third country.
I seem to have misunderstood. I thought we had got clarity on this situation. While we are a member of the EU, a company needs to have only one representative in the EU—if I have got that right—whereas under the no-deal Brexit scenario, if the company is based in the UK and does business involving data exchanges or transfer in the EEA, it will need to have two. That is a very important point. It is not the case that the status quo will continue: there will be a fundamental difference once we are outside, because then we will be a third country as far as the EU is concerned. The reciprocal arrangements mean that UK businesses doing business on the continent will need to have a data representative in the EU and vice versa, which is not the case at the moment in respect of the EEA. Is that correct?
I do not think that is correct, but I will write to the noble Lord to confirm it.
This is a fundamental issue; it goes to the heart of these regulations. The House should absolutely not agree to these regulations without us being clear in this debate on whether there will be a requirement to have data representatives in both the UK and the EEA reciprocally in the event of a no-deal Brexit. That is fundamental. My reading of these regulations is that this will be a requirement and that is what I took the noble Lord to be confirming earlier in the debate.
I think the noble Lord has mis-stated it. The reciprocity is that an EEA company will be required to have a representative in the UK and, likewise, a UK company will be required to have a representative in the EEA.
That is not the case at the moment, while we are in the European Union. That is the key point, is it not?
There will be a fundamental and massive increase in burdens as a result; this is the key point that I am trying to get across, which is not in the Explanatory Memorandum at all. It is not necessarily a point about leaving the EU. If we have an agreement, with an implementation period and so on, there will not be that requirement until we leave the existing regime. These are fundamental issues, which should have been brought up well before this debate started. The fact that the noble Lord cannot even definitively confirm the arrangement is quite a serious problem for us.
I am sorry, but I do not agree with the noble Lord. When we have the UK GDPR, which these regulations will bring into place, there will be reciprocity in the need to have representatives in each other’s countries. I agree that this will be a change. We do not need them at the moment because we are in the EU, but this will be a result of leaving the EU.
I understand the point from the noble Lord, Lord McNally, that our new position will not be the same as being in the EU. If we were a third country, I would expect us to have less influence than if we were a member of the EU. I am not denying that; it seems obvious. He is absolutely right that the GDPR was influenced by the UK, not only by officials in the negotiations but specifically by the ICO, which is regarded as one of the leading regulators in Europe. Of course, it will not have the same position as it did if we are not in the EU; I take that point.
However, I do not base everything on just the political declaration, which may or may not have some influence. It is also that we have retained Article 50 of the GDPR. I cannot remember the exact words, but it is on the basis of that that the EU talks about international co-operation with third countries, so there is a mechanism. As I said to the noble Lord, Lord McNally, it will not be the same, but there are bases for international co-operation. The EU wants that to happen and understands that in things such as data protection, you have to have an international consensus. In fact, on that, it is more important to go beyond the EU and do it internationally. Other organisations should—and do—take views on this. I think we are at the start of the journey on control of cross-border data flows and it will provide a further basis to influence behaviour.
On adequacy, it is easy to ask for detailed timelines on when this will take place. It will not take place on exit day, because it is not possible for the EU to give an adequacy decision unless you are a third country. Preliminary discussions—which, as the noble Baroness, Lady Ludford, has indicated, may take some time—could begin now and we are ready to begin those discussions as soon as we can. We are already liaising with the European Commission—in fact, senior officials were in Brussels for talks last week—and we have liaised with member states on this subject. When the EU is ready to begin discussions, we are confident that we will be ready, but it is impossible to say how long that will take because, as the noble Baroness said, it is not a decision that is in our gift.
However, we start from a position of regulatory alignment on data protection. We implemented the GDPR and the law enforcement directive. We have also taken a GDPR approach on data protection to areas that were outside EU competence, such as law enforcement and national security, so we start in a very good position. In fact, it is such a good position that the UN special rapporteur on the right to privacy declared that the UK now co-leads in Europe and globally on privacy safeguards, and has made significant improvements in its oversight system since 2015. He said that,
“the UK has now equipped itself with a legal framework and significant resources designed to protect privacy without compromising security”.
It is important to note that there is a strong mutual interest in data adequacy.
The noble Lord, Lord Adonis, said that it is unsafe to pass this SI. I would like to point out what that would mean, if it is not passed and we have a no-deal exit. It would mean that we would cease to have properly functioning data protection law. The whole basis for adequacy decisions, which I think we all agree is very important, would go, because we would not be on a reciprocal basis—
Would the noble Lord agree that a better course would be for the Government to rule out no deal?
I am talking about data protection. We want a deal; I think everyone agrees on that. The question is whether going into a negotiation saying that is a good way to approach the negotiation.
As well as the basis for adequacy going, there would be no transitional arrangements to enable lawful personal data to transfer to the EEA. The noble Lord, Lord Adonis, is concerned about business expenses; for that reason, that would not be a sensible way of going forward.
On the adequacy decision which my honourable friend Margot James mentioned, I do not have her remarks before me, but I believe she said something about two years. I think what she meant was that other countries’ adequacy decisions have sometimes taken two years, but we see no reason for it to take two years in the UK’s case, because, as I said, we are equivalent. I think I have answered most of the points that noble Lords raised.