(6 years, 9 months ago)
Lords ChamberMy Lords, it is a pleasure to follow the noble Lord, Lord Warner, and speak to Amendment 88 and the other amendments in this group. I very much support the words and the very comprehensive introduction that was given by the noble Lord, Lord Stevenson. It is vital to many key sectors—manufacturing, retail, health, information technology and financial services in particular—that the free flow of data between ourselves and the EU continues post Brexit with minimum disruption. With an increasingly digital economy, this is critical for international trade. TechUK, TheCityUK, the ABI, our own European Affairs Sub-Committee and the UK Information Commissioner herself have all persuasively argued that we need to ensure that our data protection legislation is treated as adequate for the purpose of permitting cross-border data flow into and out of the EU, post Brexit.
Fears were expressed in Committee and eventually the Data Protection Bill was amended on Report and at Third Reading to show that some principles, at least, were incorporated in the Bill, despite the fact that the European Charter of Fundamental Rights will not become part of UK law as part of the replication process in this Bill. The noble Lord, Lord Stevenson, quoted the Prime Minister’s recent Mansion House speech, a speech that I am sure will be quoted many times, when she said that,
“we will need an arrangement for data protection. I made this point in Munich in relation to our security relationship. But the free flow of data is also critical for both sides in any modern trading relationship too. The UK has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals to achieve our aims in maintaining and developing the UK’s strong trading and economic links with the EU. That is why”—
this is exactly what the noble Lord, Lord Stevenson, said—
“we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office”.
Whether or not something more than adequacy will be available—the noble Lord, Lord Stevenson, also dealt with this—depends on the EU, which states quite clearly, in paragraph 11 of its recent draft negotiating guidelines:
“In the light of the importance of data flows in several components of the future relationships, personal data protection should be governed by Union rules on adequacy with a view to ensuring a level of protection essentially equivalent to that of the Union”.
I have slightly more extensively quoted paragraph 11 of the recent guidelines, but the difference between those two statements is notable. Both the statements recognise the fact, as many of us emphasised in this House during the passage of the Data Protection Bill, that the alignment of our data protection with the EU is an intensely important issue. There will be a spotlight on the question of whether we meet an adequacy assessment by the European Commission, which I think we all agree is necessary and essential.
As I said on Report and at Third Reading of the Data Protection Bill, the Government added a new clause designed to meet the adequacy test in future, yet this Bill also gives Ministers power to make secondary legislation to amend any retained EU law, which would include laws governing data protection rights. So the Government could give with one hand and take away with the other. This amendment, as the noble Lord, Lord Stevenson, emphasised, is exactly designed to avoid a situation where our data protection law does not meet the adequacy test, to the great disadvantage of our digital economy and other sectors. Set against this danger, it cannot be necessary or desirable to exercise any of the powers in Clauses 7, 8 and 9 to repeal any part of our data protection legislation, which we have so carefully crafted and adopted. These are probing amendments but I certainly hope the Minister can give us the necessary assurance to make sure that such amendments do not reappear on Report.
My Lords, I thank the noble Lord, Lord Stevenson, for bringing before us what are undoubtedly very important issues. I am grateful to the noble Lords, Lord Warner and Lord Clement-Jones, for their contributions. I say by way of preface that the general data protection regulation comes into force on 25 May this year. Noble Lords will be aware that there is, as the noble Lord, Lord Stevenson, referred to, a Data Protection Bill currently before Parliament which fully implements the current EU framework, including the GDPR. We would not have chosen to legislate in this way if we were not committed to that EU framework. To be fair, the noble Lord, Lord Stevenson, was gracious enough to acknowledge that. I also say that to seek to reassure the noble Lord, Lord Warner. Let me try to help a little further.
As the Prime Minister has set out, the Data Protection Bill will ensure that we are aligned with the EU framework, but we want to go further than that and further than the typical adequacy agreement—I think that this was the concern of the noble Lord, Lord Stevenson. We want to seek a bespoke arrangement to reflect the UK’s exceptionally high standards of data protection. To reassure the noble Lord, Lord Clement-Jones, this would include an ongoing role for the UK’s Information Commissioner’s Office and effective representation for UK businesses under the EU’s new one-stop shop mechanism for resolving data protection disputes.
Even with that background and that backdrop it is nevertheless crucial that we have powers to correct any deficiencies that arise as a result of the current text of the GDPR being retained in the UK, post exit, word for word. For example, at its simplest we will need to replace references to “Union law” and “member states” with references to “UK law” and “the UK” respectively. We will also need to replace specific articles that do not make sense in a UK-only context; for example, article 3 on territorial scope. These are, of course, exactly the same kinds of changes that will need to be made to a wide range of EU-derived legislation to ensure a smooth exit. Where I slightly differ from the noble Lord, Lord Stevenson, is that while data protection is extremely important, there is nothing particularly special about data protection in this regard.
The difficulty about the amendments tabled—we have to be quite clear about this—is that they would remove the powers that allow the Government to remedy these deficiencies or make any other adjustments to the GDPR to ensure we have complied with our international obligations or implemented the withdrawal agreement. Alarmingly, this would damage the integrity of our regime and put at risk the data flows between the UK and the EU, which are crucial, I think we all agree, for our shared economic prosperity and wider co-operation, including on law enforcement. It is essential that we have the powers to ensure that the UK legislation framework remains functional after our exit. Of course, I accept that exactly how the powers in Clauses 7 to 9 will be used in relation to data protection depends on the outcome of negotiations, but I hope it is helpful to noble Lords to have the illustrative examples I have provided on the record.
I hope I have reassured noble Lords of our commitment to both data protection and the flow of data between the UK and the EU and in these circumstances I urge them not to press their amendments.
My Lords, since we are in Committee I have a question for the Minister. She has said that there may be some need to slightly alter data protection legislation, but this is very broad. Surely, there is scope for a much narrower formulation, so that those adjustments could be made without any radical changes to our current data protection law.