Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 Debate
Full Debate: Read Full DebateLord Ashton of Hyde
Main Page: Lord Ashton of Hyde (Non-affiliated - Excepted Hereditary)Department Debates - View all Lord Ashton of Hyde's debates with the Department for Digital, Culture, Media & Sport
(5 years, 10 months ago)
Lords ChamberThat the draft Regulations laid before the House on 14 January be approved.
My Lords, today we are concerned with the protection of personal data once the UK has withdrawn from the EU, when EU law will cease to apply in the UK.
Noble Lords will recall from debates last year on the Data Protection Bill that much of our current data protection framework derives from EU measures. When the UK leaves the EU, the GDPR will be retained in domestic law through the European Union (Withdrawal) Act 2018. That Act also permits fixes to be made so that the retained version of the UK GDPR continues to be operable in a domestic context. That is what the regulations before the House today are designed to do.
Before we look at the changes in more detail, it is important to make clear the general approach. The purpose of this exercise is to correct deficiencies arising from our departure from the EU. As such, these regulations do not significantly affect UK businesses or erode people’s data protection rights. We are looking to maintain continuity. This approach will put the UK in the best possible position to receive a positive adequacy decision from the EU.
Many of the amendments made to the GDPR by these regulations simply replace European Union-related terminology with UK equivalents. For example, there are many references in the GDPR to “member states” or “member state law”. These references have typically been amended by these regulations to refer to “the UK” and “domestic law” respectively, or removed altogether. For greater clarity post exit, the retained version of the GDPR as amended by these regulations will be known as the UK GDPR.
However, simply replacing European terminology with UK equivalents does not address all the deficiencies that arise as a result of our exit from the EU. The Government have given careful thought to how the UK GDPR and the Data Protection Act 2018 should approach these remaining deficiencies. I shall address a number of these important issues in more detail.
The GDPR and Part 3 of the Data Protection Act 2018, which implemented the law enforcement directive, restrict the transfer of personal data to third countries unless certain safeguards are met. One of those safeguards is where the third country concerned, or a sector within the country, has been deemed “adequate” by the EU Commission. Once an adequacy decision has been granted, data can flow freely to that country or sector. In the absence of an adequacy decision, data can still be transferred to third countries, but the onus is on controllers to make sure that alternative safeguards, such as standard contractual clauses or binding corporate rules, are in place to ensure that the data is protected.
My Lords, if the Minister will forgive me, this is a crucial issue in what is going to happen. Where there is a data controller outside the United Kingdom in a no-deal scenario, will there be a requirement for it to have a representative inside the United Kingdom to replicate the existing EU arrangement? It was not clear from what the Minister has just said whether that will be an absolute requirement.
If they fulfil those conditions that I mentioned, the answer is yes.
I would like to touch on what our exit from the EU might mean for the applied GDPR, as provided for by Chapter 3 of Part 2 of the Data Protection Act 2018. Noble Lords will recall that we created a separate regime which provides for broadly equivalent standards to the GDPR to apply to processing activities that are outside the scope of EU law and covered by neither Part 3 nor 4 of the Act, which deal with processing by law enforcement and intelligence services respectively. This regime currently applies, for example, where a controller other than the intelligence services is processing for national security or defence purposes.
As the EU GDPR will not, as a matter of domestic law, apply directly to any general processing activities when we leave the EU, these regulations are intended to simplify matters by providing for a single regime for all general processing activities. Those provisions in the 2018 Act that provide for the applied GDPR, together with other references to the applied GDPR in legislation, are removed. Importantly, the provisions in the applied GDPR which currently provide exemptions from specified provisions where these are required for the purposes of safeguarding national security or for defence purposes have been retained in the merged regime. These exemptions balance the need to protect personal data against ensuring that the UK’s security and intelligence community can continue to carry out its vital work to safeguard national security. I should emphasise that the merger does not itself alter the purview of EU law so where aspects of domestic data protection law were outside EU competence before exit day, this will not change as a result of this instrument. We have included provisions in the regulations to make that point clear.
I believe that the approach the Government are taking is an appropriate way of addressing the deficiencies in domestic data protection laws resulting from the UK leaving the EU. The aim of these regulations is to ensure continuity for data subjects, controllers and processors by maintaining the same data protection standards that currently exist under the GDPR and the Data Protection Act 2018.
My remarks have focused on the changes made to the GDPR and the Data Protection Act because they are the most significant. For completeness, I should add that the regulations make a number of minor amendments to other legislation, consequential on the amendments we are making to the UK GDPR and Data Protection Act 2018. For example, they amend references to the “GDPR” in other legislation to refer to the “UK GDPR”.
They also address a small number of non-exit-related issues. They clarify that the GDPR definition of consent applies for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and address two minor drafting issues that were identified in Schedule 19 to the Data Protection Act 2018, shortly before it received Royal Assent. I commend these regulations to the House
My Lords, I am not sure the Minister is going to have quite the easy ride he had with the first statutory instrument. My eye was caught by a very detailed briefing by the law firm Fieldfisher on the consequences of this SI. It was the final paragraph that caught my eye. It says:
“From a broader perspective, the creation of a new data protection regime in the UK may present additional complexities for controllers and processors who are caught by both European and UK law and will therefore need to comply with both the GDPR and (in relation to UK customer data) something that looks like the GDPR but which may start to move away from it as time goes on”.
Those last words are ominous. There is no doubt that the GDPR was a great success for European co-operation. The noble Baroness, Lady O’Neill, reminded us earlier of the wide range of issues that we will have to take into account in protecting our democracy from data abuses. There are similar dangers in the protection of our commercial and business life. The value of the GDPR is that it gives us a strength of certainty of European legislation.
I will delay the House a little with a reminiscence. Between 2010 and 2013 I was the Minister at the Ministry of Justice responsible for the earlier negotiations on GDPR. I went to a meeting in Lithuania and throughout the day I noticed that there was one person sat at the table who never participated, voted or said anything. At the end I turned to the British ambassador and asked, “Who is the guy at the end of the table—he has not said anything?” “That is the Norwegian,” he said. “He can come and listen, but can’t vote and he is not involved our decisions.”
I often think of that when I hear people banging on about sovereignty. Sovereignty was best exercised by British Ministers at the table briefed, I have to say, by officials who were the people to go to. I will not name any particular official, but there was one man to go to as GDPR clunked its way through the machinery. There were “light touchers” and those who had quite recently experienced a Stasi or state abuse of personal data and privacy, and balancing the requirements of GDPR was part of the diplomacy our officials showed. I was also greatly assisted by our parliamentarians in the European Parliament: my noble friend Lady Ludford was very influential in steering the GDPR through some choppy waters.
The noble Lord, Lord Forsyth, who is not in his place, said a few weeks ago in one of our Brexit debates that the first time he went as a Minister to Brussels he felt resentment and animosity that he was being, as it were, dictated to by these foreigners. I do not think that I am being too misleading in saying that; I am sure that he will correct me later if I am wrong. He certainly did not feel at home there.
Just to be clear, I did not say anything about the speed with which the European Commission would provide its decision.
Oh, dearie me. It is always the EU’s fault that we have got ourselves on this particular window ledge.
I am not blaming anyone, but an EU adequacy decision can be given only by the European Commission. It is not a question of blame; it is just a fact.
I will close with another one where I am sure that the Minister is not going to blame the European Commission but say that it is its responsibility. During the period that I am talking about, the stature and influence of our then Information Commissioner had a major impact on how we put the GDPR in place. Again, the Minister was unable to give us any real reassurances about whether we will be at the table in co-operation, or whether it is these difficult foreigners who are going to stop us doing that.
It is no use the Minister saying otherwise, because this is the reality.
I am sorry, I cannot let that pass. I never said anything about difficult foreigners.
The Minister never said anything about difficult foreigners, but there has always been the impression that this would all be as smooth as smooth. “Do they not understand that we are trying to be helpful?”, we ask, when we have caused Europe so much disruption and cost by this act. In this case, it is essential that we are part of the ongoing dialogue. This GDPR is not the end of the process. As the House was discussing last week, these European laws are going to develop. How we then act and deal with them is going to affect where jurisdiction lies—with European or British courts.
My Lords, first I have a couple of housekeeping questions which I hope are not too banal. I find considerable difficulty using the legislation.gov.uk website and its search function. Will the Minister ask his civil servants to check it out? Even if you search for “data protection 2019” under UK SIs, both the previous one and this are difficult to find. There was a 19 December version of these regulations, which were replaced in January. I must admit that I have not pored over every line of both to find the differences. Will the Minister explain why that was necessary?
Secondly, I want to ask about the absence of an impact assessment. Paragraph 12 of the Explanatory Memorandum states that:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”.
The pretext is that, while the Government recognise that:
“Data flows from the EEA to the UK may be restricted post-exit”—
because, if there is no deal, we will be plunged into a situation where there is no legal framework and no adequacy decision—
“that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
That is the justification for having no impact assessment. However, if we left with a withdrawal deal and a transition there would be a legal framework, so this instrument, which provides for both a no-deal scenario and one in which there would be no adequacy decision, surely merits an impact assessment as well as the consultation to which the noble Lord, Lord Adonis, referred.
As the ICO has made clear, and as has been mentioned already, businesses may have to deal both with the ICO and with European data protection authorities in every EU and EEA state where they have customers. They may need a European representative if they process the data of people resident in the EEA or have customers in the EEA. There would be additional complexity if they had to comply with both the GDPR and the UK GDPR. They could face concurrent legal claims in both the UK and the EEA. Will the Minister amplify the justification for having no impact assessment? Data flows are crucial to many businesses, not just the tech industry—there is hardly a business or other organisation that they do not affect—so the rather blasé claim that no impact assessment is needed is not justified.
I am a bit confused—it may just be my lack of understanding—about the situation regarding EU adequacy decisions on third countries. Paragraph 2.8 of the Explanatory Memorandum says there will be,
“incorporated into UK domestic law … EU decisions on the adequacy of third countries and on standard contractual clauses, both of which are relevant for … international transfers”.
Paragraph 2.13 says:
“It will not be necessary to retain the EU decisions on adequacy and standard contractual clauses … so these are revoked by this instrument”.
If I have understood the Minister’s presentation, this is explained by the fact that we are recognising and incorporating past EU adequacy decisions, but that in the future, in a no-deal scenario, the UK will take over that function: I venture to suggest that that is not very clearly explained in the Explanatory Memorandum.
Would it help if I just said that the noble Baroness is absolutely right in her interpretation?
I do not often get that response from Ministers, so that is very gratifying.
Also, a second version of these regulations was published at the end of last week—I think the Minister referred to it—which is specifically about privacy shields in the US. I am rather surprised that we will have two separate considerations: why could they not have been incorporated into this debate? As the ICO pointed out in a notice a while ago, US companies will need to update their privacy shield commitments to state that they apply to transfers of personal data from the UK. That is a big deal for many companies. It is another reason for what I said about the need for an impact assessment. If that does not happen, a lot of companies will be in serious difficulty.
Will the Minister tell us what advice the Government are giving businesses on using standard contractual clauses or binding corporate rules in the absence of an adequacy decision? The European Data Protection Board issued a notice about this last week, on 12 February. Are the Government going to advise businesses, large and small, exactly how this will work? Lastly, what progress is being made on an adequacy decision? The Minister will know from discussions during the passage of the EU withdrawal Act and the Data Protection Act that many of us are worried about this issue. Last summer, the Government expressed their aspiration for a legally binding agreement that would be more than a unilateral adequacy decision and which would enable the ICO to have a seat on the European Data Protection Board. Essentially, it would be Brexit in name only and would retain all the benefits of being in the EU with regard to data protection structures. That aspiration is not recognised in the political declaration, which talks only about an adequacy decision, so the UK has been knocked back in that area. Perhaps the Minister could tell us precisely where we are. What signal is he getting from the Commission on an adequacy decision? Are we talking months or years?
My Lords, I took the advice of the noble Lord, Lord McNally, that it would not be easy—and he has proved to be right. It is reasonable to take on board the frustrations that some of these SIs have caused—in my view, not so much because of the process which is gone through but the fact that some noble Lords do not want to leave the EU and are highlighting the effects. What they are highlighting may well be the case, but when we are trying to pass an SI such as this one we need to concentrate on its effect and—that did not take long.
I am sorry but the Minister must accept this. It is absolutely true—I speak for myself and my Benches—that we would prefer to remain in the EU, but that is not the point about an impact assessment. There is a difference between crashing out with no deal and a transitional period when EU law would continue to be applicable and we would not need all these arrangements. That is what an impact assessment would have to assess. This is about a no deal crash-out and it is perfectly valid to distinguish that from an advocacy of remain.
I agree. That is why the Government are making all efforts to secure a deal. We agree that a deal is the best situation for the country. We are at one with that.
In answer to the noble Baroness, I will start with something which is my responsibility—the legislation.gov.uk website provided by the National Archives. I will take up the matter with it. I am told that it may be helpful to search for “draft statutory instruments” rather than “statutory instruments”. I certainly listened to what she said about the website not working and will check what we need to do.
The noble Baroness, the noble Lord, Lord Adonis, and others talked about the impact assessment and asked why it has not been published. The impact of this instrument, not the impact of leaving the EU, was assessed in line with standard practice following the existing Better Regulation framework. It is focused on the direct impact of the relevant SI compared with the current legislation. The whole point of this SI is to maintain an equivalent regulatory framework to protect personal data. The noble Lord, Lord Adonis, quite rightly pointed out that it affects not only UK businesses but mostly EU and EEA businesses, which will have to have representatives in this country, and I will come to that. It is a reciprocal arrangement. If these regulations come into force and we have a UK GDPR, the same necessity for representatives will take place both ways, and I will come to that.
The analysis, to the best of the Government’s ability, of the wider impact of the UK’s exit from the EU was published in the Long-term Economic Analysis in November last year. The noble Lord, Lord Adonis, talked about representatives and Article 27. He is correct that data controllers who offer goods and services to or monitor the behaviour of data subjects in the UK will need to appoint a representative in the UK, but that is a cost to non-UK businesses, which is what the impact assessment is meant to address. He is also correct that there will be organisations in the UK that will be required as a matter of EU law to appoint a representative in the EEA. The ICO provides data controllers with advice on this obligation and will continue to do so. If controllers and processors based abroad are routinely processing data, it is right that they should be accountable in the UK and have a presence here because this is about maintaining the status quo as far as possible, not about rolling back protections for individuals, so the representative is a point of contact for the data subject as well as the supervisory authorities, such as the Information Commissioner.
I understand that the Minister is saying that my supposition is correct that after a no-deal Brexit a UK data controller doing business in the EEA will have to have a representative in the EEA as well as in the UK because this will be a reciprocal obligation—the Minister is nodding, so he agrees. The key point is that that is a significant burden on businesses. There is no way of getting away from it. That is a new and significant burden on UK businesses as a result of the regime put in place by this instrument, so why is it not flagged up in the Explanatory Memorandum to this order? Indeed, to take up the point made by my noble friend Lord Rooker, why did our Select Committees not point this out in their analysis of this instrument? My reading is that this is going to be a burden on a very substantial proportion of businesses which conduct business that involves data. Therefore almost all of them that do business on the continent will be required to have a representative on the continent for GDPR purposes which they do not have to do now and will not have to do if there is a deal because we would have continuity of the existing GDPR arrangements.
It is true that they may be required to have representatives in the EEA, and it is a reciprocal benefit. The impact assessment looks at the specific requirements of the SI, not at the requirements of leaving the EU. The long-term consequences for business—
I thought I was going to listen to a debate on a specific SI, but there are some very large principles here about the way in which this House should be handling the very large number of SIs which we are expected to get through in the next two to three weeks. If it is correct to say that the Treasury has now laid down that there should be no impact assessment because we can all rely on what the Government told us in general about the implications of leaving the EU, that seems to be close to being totally improper and at the very least to require a formal Statement to this House about how we are expected to deal with this very large number of statutory instruments.
In the circumstances, the most appropriate thing would be for the Minister to withdraw this statutory instrument and to come back in a few days after there has been some consultation on it among the Front Benches. If he is not able to do that, at the very least he should promise that tomorrow there will be a formal Statement to the House on how statutory instruments will be handled from now on. It seems that we are heading into an area where statutory instruments are not being properly scrutinised by this House.
I find it difficult to understand how the noble Lord can say that the SIs are not being properly scrutinised by this House, particularly in comparison with the scrutiny that this instrument received in the other place.
I agree with the noble Lord who is saying from a sedentary position that that is why he is here and why it is important. However, taking my personal experience of the telecoms SI, an hour and a half in the Moses Room and an hour in the Chamber seems to be pretty reasonable scrutiny. As for how the House in general and the Government are handling SIs—
This is not just a matter of time; it is whether people have the appropriate information to be able to raise and challenge issues. That is the underlying issue that the Minister is running into in this House.
I understand that point, and the noble Lord, Lord Adonis, made it to me forcefully in the Moses Room. This SI has been laid for some time and there have been opportunities for noble Lords to talk to and engage with anyone from the DCMS. I take the point that it is sometimes difficult for Back-Benchers to get information if they do not ask the department. However, I think that the Front Benches have been fairly open in exchanging information on any SI—that is certainly the case in my department. I offered the noble Lord, Lord Adonis, opportunities to ask questions well before the debate, as I think he acknowledged.
It is not for me to say how the House and its sifting committees behave and how the two committees have liaised with each other. However, I will take the noble Lord’s request back to the usual channels. I will not commit to there being a Statement tomorrow but I will certainly take back his point to make sure that the usual channels listen to what he has said. The making of Statements will be up to them—that is not for me; nor is it for me to comment on the work of the sifting committees of your Lordships’ House.
My Lords, this morning I read a new Commons briefing on the amount of legislation that needs to have been completed to enable us to leave the EU on 29 March in good order. The answer is eight Bills, as well as, still, several hundred SIs. The Government Front Bench keeps telling us that it is perfectly possible to manage that within the next six weeks but, in spite of the remarkably light business that we have this week, it seems that we are very much in Alice in Wonderland territory here. We cannot manage all that within that period, even if we are asked to skimp on the SIs. We know that part of the problem is that the Civil Service cannot manage the impact assessments for these SIs because it is so overloaded and this Chamber is unable to do its job appropriately. The Government have therefore left it too late to be able to leave the EU in good order constitutionally and legislatively on 29 March. I would like the Minister to take that back to the rest of the Government Front Bench, and a Statement to the House on how we should manage this from now on would, I think, be appropriate.
I thank the noble Lord for his view. It is clearly not for me to promise a Statement to the House. As I said before, I will agree to take back what he said and put both interventions to the House authorities. They may or may not agree. If they do not, I am sure that he will be able to raise it in an appropriate forum direct with the usual channels—both via his own Chief Whip and also directly with the Leader of the House and our Chief Whip. However, it is not appropriate, in considering an SI, to move beyond that to the wider method used by the House to address statutory instruments. Ministers certainly feel that they have been scrutinised considerably. I do not see that the noble Lord, or others who have spoken on this, are suffering from a lack of information with which to scrutinise these statutory instruments; they seem to be scrutinising fairly effectively as far as I can tell.
My response to the point made by the noble Lord, Lord Adonis, about the effect of representatives on business, is that the need to have a representative in the EEA is not as a result of this statutory instrument—it is as a result of EU law. Therefore, as I said before, the fact that we will no longer be part of the EU means that EU law will apply to us as a third country; until now, we have not been a third country.
I seem to have misunderstood. I thought we had got clarity on this situation. While we are a member of the EU, a company needs to have only one representative in the EU—if I have got that right—whereas under the no-deal Brexit scenario, if the company is based in the UK and does business involving data exchanges or transfer in the EEA, it will need to have two. That is a very important point. It is not the case that the status quo will continue: there will be a fundamental difference once we are outside, because then we will be a third country as far as the EU is concerned. The reciprocal arrangements mean that UK businesses doing business on the continent will need to have a data representative in the EU and vice versa, which is not the case at the moment in respect of the EEA. Is that correct?
I do not think that is correct, but I will write to the noble Lord to confirm it.
This is a fundamental issue; it goes to the heart of these regulations. The House should absolutely not agree to these regulations without us being clear in this debate on whether there will be a requirement to have data representatives in both the UK and the EEA reciprocally in the event of a no-deal Brexit. That is fundamental. My reading of these regulations is that this will be a requirement and that is what I took the noble Lord to be confirming earlier in the debate.
I think the noble Lord has mis-stated it. The reciprocity is that an EEA company will be required to have a representative in the UK and, likewise, a UK company will be required to have a representative in the EEA.
That is not the case at the moment, while we are in the European Union. That is the key point, is it not?
There will be a fundamental and massive increase in burdens as a result; this is the key point that I am trying to get across, which is not in the Explanatory Memorandum at all. It is not necessarily a point about leaving the EU. If we have an agreement, with an implementation period and so on, there will not be that requirement until we leave the existing regime. These are fundamental issues, which should have been brought up well before this debate started. The fact that the noble Lord cannot even definitively confirm the arrangement is quite a serious problem for us.
I am sorry, but I do not agree with the noble Lord. When we have the UK GDPR, which these regulations will bring into place, there will be reciprocity in the need to have representatives in each other’s countries. I agree that this will be a change. We do not need them at the moment because we are in the EU, but this will be a result of leaving the EU.
I want to get some clarity on this and perhaps the Minister will be able to help me. He is quite clear that, for a wide variety of companies, there will need to be one representative in the UK and, he seems to imply, one representative in the EEA. Is that correct, or does there need to be one in each country within the EEA—or does the individual in the EEA have to deal with different regimes because of the different local regulators and because it is representing a third country in its work? I am trying to work out how great the burden that he has indicated will be, even though he does not think that it will be part of the impact.
Before the Minister answers, I would like to press again this idea that an impact assessment is not needed since the impact comes from leaving. I say no to that; it depends how you leave. The Minister and I may differ on the desirability of the Prime Minister’s deal, whatever that is going to be, but there is a difference between crashing out and having a transition with a political declaration which may avoid the need for duplication; we do not know what the data protection provisions will be in the future relationships. We all hope that there will be a strong degree of mutual recognition, but the immediate impact of crashing out with no deal—with a void where any adequacy decision or future reciprocal relationship between regulators would otherwise be—is quite different. First, it is different from having a standstill transition and, secondly, it is different from having the prospect, or at least the hope, of a long-term relationship that preserves something of the single market. We need the impact assessment to assess the difference between those two scenarios; that is what the Minister does not seem to grasp.
I agree with the noble Baroness that, if we leave with a deal, that is a different scenario from leaving with no deal. That seems an obvious fact and it is why the Government are trying to leave with a deal, which is what the Prime Minister is trying to achieve. This is a no-deal exit SI to prepare for that eventuality. If we leave with no deal, the object of the exercise will be to preserve the GDPR standard of data protection, which this SI will do. To return to the point raised by the noble Lord, Lord Adonis—sorry, it might have been raised by the noble Baroness, Lady Kramer—the requirement to appoint one representative in the EEA is, as I said, a result of EU law.
I say again to the noble Lord, Lord Adonis, regarding the impact on business of Article 27, that we think that if controllers based abroad are routinely processing the data of people in the UK then it is right that they should be accountable and have a presence in the UK, because it is about trying to maintain the status quo as far as possible for individuals and not rolling back their data protection. The representative is a point of contact for the data subject as well as supervisory authorities such as the Information Commissioner.
I turn to the points made by the noble Lord, Lord McNally, about the complexity for organisations potentially subject to dual regulation. The point of this instrument was to ensure the minimum disruption to organisations and to data subjects by trying to retain the effect of the data protection legislation where possible. The relationship is absolutely changing but the instrument ensures that we can co-operate on an international level with not only the EU supervisory authorities but those in other countries; that is why we have kept Article 50 of the GDPR. Where he is right, and I accept that he is right in this, is that if we move away from the GDPR—if the UK GDPR moves away from the EU GDPR—that will have consequences for the adequacy decision that we hope to achieve, which will be reviewed by the EU Commission. It is important that the EU has confidence that our data protection regime is “essentially equivalent”, which is what the adequacy decision is based on. Anything that we do in future will have to bear in mind that our data regime is essentially equivalent so that it gives the EU confidence.
I agree with the noble Baroness, Lady Ludford, that in previous times there were elements that were outside EU competence that it could not look at, but now of course in an adequacy decision it will be able to look at those. Again, as it does in other adequacy decisions, it will look at the overall adequacy requirement and say whether or not it is essentially equivalent. That is why the adequacy decision is not immediate. Where we start in a good place compared to other regimes is that we have started with an equivalent regime to the extent that we have enacted the GDPR, which other third countries have not. We start on a level playing field in that respect.
The noble Baroness talked about the US privacy shield and the reason why we are going to lay another set of regulations. The discussions on the US privacy shield were ongoing when this SI was laid and therefore we could not wait. It was our priority to lay this SI so that we had an ongoing regime in the event of no deal. Now that that has been agreed between us and the US, though, another SI will be laid—it may even have been laid—to ensure that the US requirements continue, and I think that will happen very soon.
The noble Baroness asked about the EDPB’s recently published guidance on the implications of the UK’s exit. That guidance confirmed that, if the EU Commission does not make an adequacy decision in respect of the UK, EU firms will need to put in place alternative transfer mechanisms, such as standard contractual clauses to continue to transfer personal data to the UK.
The noble Baroness suggested that the political declaration only covered adequacy. That is not right: paragraph 9 addresses the free flow of data while paragraph 10 addresses regulatory co-operation.
The noble Lord, Lord Adonis, and the noble Baroness, Lady Ludford, talked about consultation. The difference between this SI and many others is that the Data Protection Act came into force less than a year ago; it was enacted after extensive discussions in this House and the other place, after the referendum discussion had taken place. Those noble Lords who participated in the Data Protection Act discussions, which lasted for many weeks, all know that matters such as data adequacy were raised numerous times. The whole purpose of the Act, and the mixture between regulations and derogations from regulations, was that we would be on as level a playing field as we could be when it came to getting an adequacy decision.
Forgive me, but I would like to follow up on that. I really think the Minister is overselling what is in paragraph 9 of the political declaration. Last June, the Government issued a technical note about wanting a legally binding data protection agreement, and I described that earlier as a “Brexit in name only” kind of arrangement. They wanted that because there are,
“benefits that a standard Adequacy Decision cannot provide”.
Except for one sentence in paragraph 10 that talks about arrangements for appropriate co-operation between regulators, paragraph 9 is about a standard adequacy decision—no less but certainly no more. It talks about the European Commission recognising,
“a third country’s data protection standards as providing an adequate level of protection”.
It is not what the Government hoped for last June. I do not understand why the Government are trying to pretend. We can all read paragraph 9 once we have googled it and reminded ourselves, so to say that it is more than an adequacy assessment process is simply not true.
I understand the point from the noble Lord, Lord McNally, that our new position will not be the same as being in the EU. If we were a third country, I would expect us to have less influence than if we were a member of the EU. I am not denying that; it seems obvious. He is absolutely right that the GDPR was influenced by the UK, not only by officials in the negotiations but specifically by the ICO, which is regarded as one of the leading regulators in Europe. Of course, it will not have the same position as it did if we are not in the EU; I take that point.
However, I do not base everything on just the political declaration, which may or may not have some influence. It is also that we have retained Article 50 of the GDPR. I cannot remember the exact words, but it is on the basis of that that the EU talks about international co-operation with third countries, so there is a mechanism. As I said to the noble Lord, Lord McNally, it will not be the same, but there are bases for international co-operation. The EU wants that to happen and understands that in things such as data protection, you have to have an international consensus. In fact, on that, it is more important to go beyond the EU and do it internationally. Other organisations should—and do—take views on this. I think we are at the start of the journey on control of cross-border data flows and it will provide a further basis to influence behaviour.
On adequacy, it is easy to ask for detailed timelines on when this will take place. It will not take place on exit day, because it is not possible for the EU to give an adequacy decision unless you are a third country. Preliminary discussions—which, as the noble Baroness, Lady Ludford, has indicated, may take some time—could begin now and we are ready to begin those discussions as soon as we can. We are already liaising with the European Commission—in fact, senior officials were in Brussels for talks last week—and we have liaised with member states on this subject. When the EU is ready to begin discussions, we are confident that we will be ready, but it is impossible to say how long that will take because, as the noble Baroness said, it is not a decision that is in our gift.
However, we start from a position of regulatory alignment on data protection. We implemented the GDPR and the law enforcement directive. We have also taken a GDPR approach on data protection to areas that were outside EU competence, such as law enforcement and national security, so we start in a very good position. In fact, it is such a good position that the UN special rapporteur on the right to privacy declared that the UK now co-leads in Europe and globally on privacy safeguards, and has made significant improvements in its oversight system since 2015. He said that,
“the UK has now equipped itself with a legal framework and significant resources designed to protect privacy without compromising security”.
It is important to note that there is a strong mutual interest in data adequacy.
The noble Lord, Lord Adonis, said that it is unsafe to pass this SI. I would like to point out what that would mean, if it is not passed and we have a no-deal exit. It would mean that we would cease to have properly functioning data protection law. The whole basis for adequacy decisions, which I think we all agree is very important, would go, because we would not be on a reciprocal basis—
Would the noble Lord agree that a better course would be for the Government to rule out no deal?
I am talking about data protection. We want a deal; I think everyone agrees on that. The question is whether going into a negotiation saying that is a good way to approach the negotiation.
As well as the basis for adequacy going, there would be no transitional arrangements to enable lawful personal data to transfer to the EEA. The noble Lord, Lord Adonis, is concerned about business expenses; for that reason, that would not be a sensible way of going forward.
On the adequacy decision which my honourable friend Margot James mentioned, I do not have her remarks before me, but I believe she said something about two years. I think what she meant was that other countries’ adequacy decisions have sometimes taken two years, but we see no reason for it to take two years in the UK’s case, because, as I said, we are equivalent. I think I have answered most of the points that noble Lords raised.
I apologise for interrupting the Minister again. He said we are now undertaking “preliminary discussions” about how this would be handled if we leave without a deal, but that these discussions “may take some time”—I think I heard him say that. Is he suggesting that, if we leave without a deal on 29 March, there will be an unavoidable gap in mutual recognition of data protection law, which we—or rather businesses—will have to cope with somehow? That may have a significant adverse impact.
Yes, because it is literally impossible to have an adequacy decision until you are a third country. Therefore, you cannot have an adequacy decision in advance. What you can do, and I should have said preliminarily that we have been discussing this—I raised it over a year ago—is start the discussions with the EU, but the decision itself cannot be made before exit day. It is impossible.
There are mitigations which prevent that—standard contractual clauses and binding corporate rules. Plus, it depends a lot on the proportionate approach that the regulators in the EU take. There would be an impact; we would have to arrange mitigations, which would be a cost to business. That is what has been set out in the technical notice to business.
The Minister is making a very good case for why there should have been an impact assessment.
I am making a very good case for why we want a deal. As I have said several times, we want a deal.
I think I have been through most of the questions raised by noble Lords. The important thing about this statutory instrument is to have a fully functioning data protection regime. If we go back to the original reasons why we passed the Data Protection 2018 with a fair bit—a lot, I would say—of cross-party support, the reason that it is important is to give individuals protection for their personal data. We must bear that in mind. These regulations will preserve that protection for individuals and set us on the road to a successful conclusion of our adequacy agreement when we get to the stage where the EU will allow us to negotiate it. That is why I beg to move.