Data Protection (Adequacy) (United States of America) Regulations 2023 Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Lord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Science, Innovation & Technology
Data Protection (Adequacy) (United States of America) Regulations 2023
Lord Clement-Jones Excerpts(5 months, 4 weeks ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Clement-Jones
That this House regrets the Data Protection (Adequacy) (United States of America) Regulations 2023 and regrets in particular (1) the absence of an Impact Assessment at the time it was laid; (2) the lack of any public consultation; and (3) that the explanatory material laid in support does not provide sufficient information to gain a necessary understanding of the instrument’s policy objective and intended implementation.
Relevant document: 53rd Report from the Secondary Legislation Scrutiny Committee, Session 2022-23
Lord Clement-Jones (LD)
My Lords, this is clearly box-office this evening. As soon as I saw the Secondary Legislation Scrutiny Committee’s report and its comments, I thought these regulations were a prime candidate for a regret Motion. This does not mean that the Minister has to be quite as persuasive as he would be if they were subject to the affirmative process, but it does mean that he has to recognise they we are not just going to let this kind of important secondary legislation go through on the nod—especially where his department has not excelled itself in giving the necessary explanatory and impact assessment material.
On purely procedural grounds, the tale of how DSIT has dealt with this SI is not a happy one. These are regulations made under Section 17A of the Data Protection Act 2018 to establish a data bridge with United States of America through the UK extension to the EU-US data privacy framework. The impact assessment for the regulations was first submitted on 4 August for Regulatory Policy Committee scrutiny, and the RPC’s initial review of it, sent to DSIT on 15 September, found that it was not sufficiently robust and identified areas where improvements should be made. As the RPC states:
“We considered that the points raised would generate a red-rated opinion, if not addressed adequately”.
Following discussions, DSIT submitted a revised impact assessment on 20 September. The data protection adequacy regulations were laid before Parliament the day following, 21 September.
In its report of 17 October, the SLSC said:
“We regret the absence of the IA and of a public consultation and recommend that the EM be revised to include the missing contextual information”.
The regulations are drawn to the special attention of the House on the ground that the explanatory material laid in support provides insufficient information to gain a clear understanding of the instrument’s policy objective and intended implementation.
The SLSC also said:
“We regret that … important context to the UK Extension to the EU-US Data Privacy Framework was not included in the EM. While the purpose of the Regulations is made clear by the EM, without the additional information provided by the Department and the link to the Government’s analysis, it is not possible for a reader of the EM to understand fully the policy context and framework of the adequacy decision and how this policy was developed. We therefore ask the Department to revise the EM to include the contextual information and the links to relevant external material. We are disappointed that the Department was unable to provide a final, green-rated IA when the Regulations were laid before Parliament … We regret—
and this is a broad point which comes up time and again—
“that this is a further example of relevant impact information not being shared with Parliament at the right time … We take the view therefore that it would have been desirable to carry out a public consultation”.
The SLSC concludes:
“We regret the absence of the IA and of a public consultation and recommend that the EM be revised to include the missing contextual information”.
If it had not been for the noble Baroness, Lady Jones, bumping into me today, I would not have realised that the Explanatory Memorandum that I read to prepare my speech today had been switched from 20 September to 21 November. I have the two versions in front of me, thanks to the noble Baroness, and they do differ. It seems extraordinary that two months should elapse before we get the revised memorandum. When I actually looked at it, I realised that it is considerably different. I am not surprised that the SLSC had something to say about this.
All the basic data protection principles that the US is meant to observe are set out in paragraph 7.7 of the new Explanatory Memorandum. They appear nowhere in the original memorandum. There is a whole slew of things: international data transfers, the need to consult expert counsel, and the fact that the Information Commissioner has produced an opinion, which I shall go on to talk about. There is also a third element of considerable importance: the impact on monetary net present value, under paragraph 12.3.
These are considerable changes, and it has taken two months and this regret Motion to elicit that kind of response from the department. That is not a happy start to these regulations: are these teething troubles at the new department, or something more serious? What is the Minister’s response to all these criticisms, in particular the lack of public engagement and the whole process by which these Explanatory Memorandums are produced?
This new arrangement is designed to be compatible with the EU-US data privacy framework and is what we must now call the UK-US data bridge. It came into force on 12 October 2023: from then on UK businesses may transfer personal data to US organisations certified under the UK extension to the EU-US data privacy framework without the need for alternative safeguards such as standard contractual clauses. Those US organisations that have committed to complying—and this is important—with the enforceable principles and requirements under the UK extension to the EU-US data privacy framework can be identified on the data privacy framework list. Organisations not subject to the jurisdiction of the US FTC or the US DoT are not eligible to participate, and that includes major institutions such as banks and insurance and telecommunication companies.
This is what a prominent firm of lawyers has said about the new regulations and the bridge:
“Organisations should take care to review the nature and scope of transfers permitted in practice and to consider the steps that should be taken to effectively make those transfers in accordance with the new arrangements. For example, certain journalistic personal data may not be transferred in reliance on the UK-US data bridge. It will also be necessary to actively indicate to the US recipient organisation that it must treat genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning sexual orientation as sensitive information. Whilst these types of data are special categories of data under Article 9(1) UK GDPR, they are not designated as sensitive information under the UK Extension to the EU-US Data Privacy Framework. Specific identification to the data recipient is therefore required. There are also specific requirements regarding the transfer of certain criminal offence data.”
The deeper you dig, it still remains potentially very complicated, and I wonder what guidance the department is giving in detail on this. For example, how exactly do the UK and the EU data bridge agreements translate to a US state basis? Do they require state ratification of some kind, or verification of the principles they adopt? If we are comfortable with the data adequacy aspects of the UK-US data bridge, there are clear advantages in terms of participating organisations being exempted from the need to conduct a transfer impact assessment, rather than having standard contractual clauses where TIAs needs to be made.
However, what is the response of the Minister and his department to the Information Commissioner’s Office’s opinion on these regulations: that there are areas that could pose risks to UK data subjects if the protections identified are not properly applied? He identifies several potential issues with the UK-US data bridge: it does not contain substantially similar rights to the UK GDPR’s right to be forgotten, right to withdraw consent, and right to obtain a review by a human of an automated decision. He says:
“As a result, UK data subjects might not have the same level of control over their data as they do under UK GDPR.”
Secondly:
“The definition of sensitive information,”
much like the legal opinion,
“under the UK-US Data Bridge does not specify all the ‘special categories of personal data’ of the UK GDPR. Instead, the framework has a broad ‘umbrella’ concept providing that sensitive information can be any data regarded as sensitive by the transferring entity. UK businesses will have to clearly label certain types of data as ‘sensitive’ when transferring to a US organisation certified under the UK Extension to ensure adequate protection.”
Thirdly:
“For data on criminal offences, the ICO highlights potential vulnerabilities, even when tagged as sensitive. Since the UK places restrictions on the use of ‘spent’ convictions, there are concerns about a lack of comparable protections in the US for transferred data”.
The opinion of the ICO does not even deal with the potential impact of the Data Protection and Digital Information Bill going through Parliament, which will water down data subject rights, especially in the legitimate interest balancing test and Article 22, and in the provisions around DPOs and data protection impact assessments. Our data protection adequacy is not even secure, and the ICO specifically draws attention to this:
“If the Secretary of State becomes aware of a significant change in the level of data protection that applies to personal data transferred from the UK as a result of either the review or ongoing monitoring obligations, the Secretary of State must amend or revoke the regulations to the extent necessary”.
In addition:
“The Secretary of State is also required to monitor, on an ongoing basis, developments in a country, territory or international organisation which is the subject of UK adequacy regulations”.
Where did any of that appear in the Explanatory Memorandum? This is important stuff; it is our personal data.
How do we therefore know that our personal data is safe under these arrangements? How will the data bridge stand up, especially with the new Bill going through Parliament? Perhaps the Minister can also explain how the transfer of legally privileged data will be dealt with.
Even if this were satisfactory, one might ask how long the EU-US DPF will last before Mr Schrems gets to work. What will be the impact on our UK-US data bridge then, given that it is dependent on the EU-US bridge? Given the opinion of the ICO, should we expect litigation along the line of Schrems?
Under the DSIT analysis of last December, it is clear that the department has to take a view on, for instance, the sharing of sensitive data:
“DSIT considers that these exemptions are comparable to exemptions provided for under Article 9(2) of the UK GDPR and do not pose a material risk to UK data subjects”.
It says similarly about HR, and on personal data:
“Therefore, DSIT does not think that the extra protections afforded to criminal offence data … are likely to be undermined”,
and so on. What is DSIT actually advising businesses to do, given its opinion? Would it not be prudent to take some external advice, rather than rely on internal DSIT views about this? Would it not be safer for a business to agree or keep using standard contractual clauses?
Given the limited scope of the UK-US data bridge, a limited number of businesses can take the benefit of it. The impact assessment says: “The assumption that 23.4%”—that seems very granular—
“of those organisations who currently send personal data to the US will be risk averse due to legal uncertainty and continue to use standard data protection clauses is based on evidence from EU transfers. However, the assumption may be too conservative as many businesses reverted to using standard data protection clauses for EU transfers due to the previous risk of no-deal Brexit”.
That sounds like it is both on the one hand and on the other; it is not a very good basis for making assumptions and the figure may be even higher, given the uncertainty and difficulties surrounding some issues, such as the transfer of sensitive data.
I conclude in saying that I strongly agree with this sentence in the impact assessment:
“There is a clear rationale for creating a UK extension to the EU-US Data Privacy Framework”.
I very much believe that, if this works, it can pave the way for many other forms of co-operation with the EU. I just hope that the data protection Bill does not make that impossible.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
I thank the three noble Lords who spoke for their valuable and robust contributions to this debate. Let me start with some general remarks about the SI.
In 2022, the UK exported more than £99 billion in data-enabled services, such as finance and IT, to the US. That amounts to about 30% of the UK’s total data-enabled services exports globally. UK data bridges such as the one established with these regulations ensure that high data standards are upheld when UK individuals’ personal data is transferred internationally while reducing the compliance burdens for businesses, realising responsible innovation and growth. The UK-US data bridge restores a robust and reliable mechanism for transatlantic personal data flows and is expected to benefit around 16,000 UK businesses, 92% of which are small or micro businesses, and provide a combined benefit of an estimated £115 million per year.
The UK-US data bridge has been established following several years of collaboration between both countries and follows a robust assessment by the Secretary of State of the high standards and protections available to UK personal data when it is shared with organisations in the US under the bridge. DSIT published a series of supporting documents alongside the regulations for the US data bridge, including a policy explainer, a fact sheet for UK organisations, a series of letters detailing the operational delivery and enforcement of the frame- work, an analysis of the assessment which underpinned the Secretary of State’s decision and the Information Commissioner’s opinion.
I acknowledge absolutely the disappointment of the Secondary Legislation Scrutiny Committee that an impact assessment was not made available when the regulations were laid. As was remarked on, an initial impact assessment was submitted to the Regulatory Policy Committee in 2022 which was returned to my department with a green rating, meaning it was considered fit for purpose. Deeply regrettably, the updated version containing much of the same content was not reviewed and approved in a timely manner to coincide with the laying of the regulations. My officials worked at pace to address the additional comments from the Regulatory Policy Committee. I am pleased to say that the impact assessment for these regulations, which has been rated as fit for purpose, was published in mid-October. Furthermore, I can assure noble Lords that DSIT takes the concerns raised by the committee seriously.
In relation to the additional material included within the Explanatory Memorandum published alongside these regulations, as the noble Lord, Lord Clement-Jones, mentioned, an updated version of the Explanatory Memorandum addressing the areas raised by the committee in the report was laid, I am afraid as late as Monday 20 November, and is now available online. I am confident that these changes address the issues raised by the committee in its report.
On the concerns raised by the committee about the absence of a public consultation, I agree that these regulations may be an issue of public interest. These regulations have not been developed in isolation. As part of this assessment, the department worked closely with the UK’s independent data protection regulator, the Information Commissioner’s Office, throughout the assessment and the Information Commissioner was consulted by the Secretary of State prior to taking the decision to establish these regulations in accordance with the Data Protection Act 2018. Additionally, on five occasions since 2021, the department has publicly issued statements in relation to the progress made towards establishing these regulations. These include the UK-US comprehensive dialogue on technology and data launched in October 2022 and the Atlantic declaration announced by the Prime Minister and President Biden in June 2023.
Furthermore, the UK’s approach to facilitating international data transfers was the subject of a public consultation under mission five of the UK’s National Data Strategy, published in December 2020. This was focused on plans
“to remove unnecessary barriers to international data flows”,
drive high standards and build trust in the international use of data. These plans and the department’s approach in this area have been strongly and consistently welcomed by businesses of all sizes looking to operate and trade internationally between the US and UK.
I turn to questions specifically raised in this debate. The noble Lord, Lord Clement-Jones, asked what is being done by the department to address these issues in the future. The delays to the impact assessment and issues raised with the Explanatory Memorandum are unfortunate. It was always the department’s intention to publish the impact assessment once reviewed by the Regulatory Policy Committee and update the Explanatory Memorandum following the Secondary Legislation Scrutiny Committee’s report. As I have said, the department takes the concerns of the Secondary Legislation Scrutiny Committee seriously. There are steps being taken to ensure the delivery of high-quality, comprehensive documentation alongside future secondary legislation. This includes setting up a departmental better regulation team in the new year to support policy teams in the development of impact assessments, and providing a comprehensive library of best practice resources to officials and policy teams. I know that these steps do not help with the issues that arose in this statutory instrument, but I hope that it provides some reassurance towards the steps we are taking to prevent any repeat of these issues in future.
The noble Lord also raised how the data bridge agreements translate on to the US and whether they need to be approved on a state-by-state basis. The answer is that they do not need to be approved by individual states; they are arrangements which operate across the US in relation to any organisations which have signed up to the framework.
Regarding what guidance the department has provided to businesses, it has published a fact sheet on GOV.UK which provides additional clarity and information for businesses regarding using the data bridge, including explaining the need to specify certain types of data as sensitive. Additionally, the ICO has published a complaints tool to help businesses and individuals navigate the new redress mechanism which strengthens and protects UK data subjects’ rights when their personal data is transferred to the US.
Regarding the DPDI Bill, the changes to that Bill will not affect the validity of existing data bridges such as this one. They will continue to have effect under the new regime. The Secretary of State will continue to monitor the data bridge on an ongoing basis for any developments in the US which could affect the decision taken to make these regulations and will take such action to amend or revoke them if necessary.
The noble Lords, Lord Clement-Jones and Lord Fox, both raised what the longevity is of the data bridge, given the Max Schrems case, and the robustness of this legislation. We are aware of the stated intentions made by certain individuals such as Max Schrems to challenge the EU’s adequacy decision for the EU-US data privacy framework, as they have done twice previously. Our data bridge for the UK extension to that privacy framework is a separate decision from the EU’s adequacy decision, following the UK’s independent assessment of relevant laws and practices. We are continuing to work with the US now that the data bridge is online to ensure that it functions as intended and will continue to engage should any challenge to the EU’s adequacy decision be successful. Should the EU’s decision be invalidated, that would not directly impact the UK’s data bridge for the US.
In response to the noble Baroness, Lady Jones, I can confirm as above that the published impact assessment has a green rating. With regard to her question on how the data bridge differs from the EU framework, the UK is relying on our own extension to the EU-US data privacy framework, which mirrors the EU framework.
The noble Baroness asked whether individuals can opt out from the data bridge and about its robustness, including the important point about Palantir. UK individuals’ data is protected to the high standards expected within the UK under the UK GDPR and Data Protection Act 2018. We have conducted a robust and detailed assessment of the new US framework, which is published online on GOV.UK, and which the Secretary of State has decided meets the high standards necessary to establish a data bridge. This includes strict requirements and rules surrounding how US organisations should use, process and disclose personal data that they hold. When deciding whether to share personal data with a US organisation under the data bridge, the transferring organisation in the UK still needs to comply with all the requirements of the UK GDPR, including the need to have a lawful basis for sharing the personal data.
In response to the noble Lord, Lord Fox, who asked who the department engaged with in the US and which regulatory bodies are responsible for the US framework, this is a federal rather than a state government-level framework. The US Department of Commerce administers the framework and is our main counterpart, and the US Federal Trade Commission and US Department of Transportation enforce the framework. We also engaged with the US Department of Justice where there were questions in relation to US national security laws and practices. We have received reassurances from each of these bodies with regard to their commitments to upholding the principles and protecting the rights and protections of UK personal data shared with the US. These have been published online along with our full analysis detailing our assessment of the US data bridge and explaining the role of the different US bodies mentioned, which is on GOV.UK for anyone to view.
On the collection of data by UK political parties and the possibility of transfer to a server outside the UK, the policy governing this aspect falls outside the scope of data bridge policy, and so my department will follow up on that question.
Finally, on the question from the noble Lord, Lord Fox, about the self-certifying annual process for US companies and how the department can be sure that the process is being monitored, the US Department of Commerce has committed in the aforementioned reassurances to conduct verification checks on organisations certified to the framework, as well as to participate in periodic discussions with the UK Government about the operation of the framework, to ensure that the expectations and new practices of the data privacy framework are being met. This includes, where necessary, input from US enforcement bodies, the Federal Trade Commission and the US Department of Transportation, as well as from the UK’s independent data protection regulator, the Information Commissioner’s Office. Additionally, the Secretary of State is obliged to monitor on an ongoing basis any developments in the US or with the US framework that could affect the decision taken to make these regulations and to take such action to amend or revoke them as necessary.
I thank the noble Lord, Lord Clement-Jones, for bringing forward the debate today. The importance of proper scrutiny by parliamentarians for new legislation is paramount, and the department will continue to move forward with renewed determination to ensure that all necessary documentation is provided, not just to a high standard but at the point when regulations are laid. I believe and hope that I have answered all the questions. If not, I am of course more than happy to write with further detail. For now, I am once again grateful to the noble Lord.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for that response. I congratulate him on managing to pick up nearly all the questions and provide them with answers. He probably never thought that quite so many questions could be asked about a single SI, and there are a couple of areas where I think there is further inquiry to be made. This is a salutary lesson in how the SLSC really needs to get the information that it needs to scrutinise regulations, otherwise we all jump up and down and spend our evenings on regret Motions.
This has been a very useful debate. The record, and how the Minister unpacked and answered some of the questions, might be helpful for those who want to take advantage of the UK-US data bridge. It is a great illustration also as to why affirmative SIs, rather than negative ones, are actually rather useful. Why rely on me producing a regret Motion? Would not it have been better to have a proper affirmative procedure in this case, as this is a very important instrument? The Minister talked about its value, and, if it works, we will all agree.
I also very much appreciate the fact that there is a level of humility about this, in that the department is looking at its procedures and setting its house in order with a new regulatory policy process. We look forward, I am sure, to seeing how effective that will be in the future. When the Minister talks about fact sheets and the sensitive data aspects, the fact that the ICO is gearing itself on the complaints and redress side is appreciated as well.