Data Protection (Adequacy) (United States of America) Regulations 2023 Debate

Full Debate: Read Full Debate
Department: Department for Science, Innovation & Technology

Data Protection (Adequacy) (United States of America) Regulations 2023

Lord Fox Excerpts
Wednesday 22nd November 2023

(1 year, 1 month ago)

Lords Chamber
Read Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Baroness Jones of Whitchurch Portrait Baroness Jones of Whitchurch (Lab)
- View Speech - Hansard - - - Excerpts

My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for raising his concerns about this SI this evening, and for the diligent work of the Secondary Legislation Scrutiny Committee in drawing to our attention the inadequacy of the original Explanatory Memorandum attached to it. In fact, had the details been included in the proper form in the first place, it could have saved me a lot of chasing around to establish what had been tabled when; as the noble Lord pointed out, it was not immediately clear.

For example, the Secondary Legislation Scrutiny Committee criticised the lack of an impact assessment, a variation of which has now finally been attached to the SI. As the noble Lord made clear, the original Explanatory Memorandum recorded that the impact assessment was not ready to be published as it had to be submitted to the Regulatory Policy Committee for its review. We now know, thanks to the work of the Secondary Legislation Scrutiny Committee, that the RPC judged the original impact assessment as not sufficiently robust, identifying areas of improvement which, if not addressed adequately, would generate a red-rated opinion. It reports that a revised IA was submitted to the Regulatory Policy Committee on 20 September. Can the Minister confirm whether this revised IA has now received a green rating from the RPC?

I agree with the Secondary Legislation Scrutiny Committee that, sadly, the failure to produce this proper documentation in a timely manner occurs all too often. It makes it difficult for Parliament to carry out our scrutiny role and reflects a wider decline in drafting accuracy. I understand that the staff work under intense pressure but, in this case, I see no reason why all the checks could not have been carried out before the SI was laid, even if this resulted in a slight delay.

The Secondary Legislation Scrutiny Committee also quite rightly raised concerns about the lack of contextual information in the original Explanatory Memorandum. I absolutely agreed with them on this. It was not until I read the impact assessment that the background and intent of the SI became clear. There is now a revised EM but the original printed version of the SI, which I collected from the Printed Paper Office, as I suspect the noble Lord did as well, contained the original Explanatory Memorandum, which again underlines the inadequacy of the processes adopted by the department.

In this context, I have some questions which arise from the impact assessment rather than the EM. First, is it the case that the only adequacy regulations currently in existence are with the Republic of Korea? As this is the first such agreement, how are the provisions of the regulations being monitored, and have any data breaches been identified? I hope that we would learn from that first experiment, if you like, with the Republic of Korea. Any information on how that is working would be appreciated.

Secondly, what criteria do the Government use for prioritising other potential data partnerships, as listed in the IA? Are any others near completion?

Thirdly, since Brexit and the failure of the EU privacy shield, the EU and the US have developed the data privacy framework, and we have signed up to the UK extension of that framework. In what ways does the extension vary from the EU-US agreement? If the European Commission varies that agreement, can we be assured that the UK extension will seek to reflect those changes? This would make it considerably easier for businesses to navigate the rules in the longer term.

Fourthly, since there is some sensitivity around this currently, today’s announcement that the NHS has handed US spy tech firm Palantir a contract to create a huge new data platform has rightly caused concern. Does this agreement come under the new data adequacy rules covered by this SI? Is it the case that individuals cannot opt out of the scheme, as reported in the press? What would prevent Palantir selling on the data to other US companies, provided they signed up to the US Department of Commerce’s self-certification scheme?

Incidentally, I could not see in the impact assessment any assessment of the robustness of the US rules. For example, how many data breaches are there per annum and what sanctions are taken against those who breach the rules? It is all very well having an adequacy rule, but we want to know how it is working in practice and what the US’s history has been on this. Does the Minister have any information on this?

My last question leads on to the Secondary Legislation Scrutiny Committee’s last recommendation, which has also been highlighted by the noble Lord, Lord Clement-Jones. The UK public are understandably suspicious about how their personal data could be misused or monetised by big corporations, both here and abroad. If they have nothing to worry about in this instance, it would have been helpful to hold a public consultation to provide reassurance and build confidence in the policy. As it stands, there are bound to be concerns about the underlying consequences of this proposed agreement. As the Secondary Legislation Scrutiny Committee points out, an increasing number of experts and specialist lawyers could have contributed to the development of this policy, particularly as it may be a model for other agreements in the future.

I hope the Minister can reflect on these concerns and take them back to the department. I hope that he can also address the specific questions I have raised, and that he can assure us that the lessons about the way documentation is presented to Parliament for approval in the future will be taken on board.

Lord Fox Portrait Lord Fox (LD)
- View Speech - Hansard - -

My Lords, it is a pleasure to follow the noble Baroness and, indeed, my noble friend Lord Clement-Jones. Their commentary on the process so far is quite damning. I share my noble friend’s fear that this is in danger of selling short what is an important aim of creating a viable data bridge between these two jurisdictions.

I am not going to go over the process; I will pick out a number of points from what I think is the right Explanatory Memorandum but may, of course, be the wrong one. I am acting in good faith; I think I picked it up from the table at the right nanosecond when the correct document was there.

Paragraph 7.2 of the EM says:

“DSIT officials have been working closely with counterparts in the US”.


Paragraph 25 of the Secondary Legislation Scrutiny Committee’s report says that DSIT told the committee:

“The US does not have a comprehensive data protection framework”.


The report points out, as noble Lords have said, that this framework tends to be based on a sector or state- level requirement. So who are the counterparts that DSIT talked to? There are no counterparts equivalent to DSIT who can have that competent conversation.

In practice, can they know that the treatment of data will be the same in California as it will be in Florida? If they know the answer to that question, how do they know it—who did they talk to in order to gain that information? It seems to me that the complications of data in the United States are not reflected in the Explanatory Memorandum in my hand.

That is the first point. Moving on, if you look at paragraph 7.6 in the Explanatory Memorandum, you see that it is very clear that this is a self-certifying annual process. Self-certifying is another word for ticking boxes. So, once again, how can the department be sure that this process is being properly dealt with and monitored? When we come to the enforcement of this self-certification process, is it the Department of Commerce that will be checking that this self-certification has happened? Will it be the state legislatures? Who will be the bodies in charge of this self-certification? Will there be an annual report, so we know that all these bodies are certified? Indeed, if I am giving my data to a particular organisation that is then sending that information across the United States, how do I know that that process is properly certified? It seems that these are good words but, unless they are backed up with a system and a process, they are to all intents and purposes meaningless.

The next point is picked up in paragraph 7.12 of the Explanatory Memorandum, where we talk about processors and transfers, and people in the United States who are

“indicated on the Data Privacy Framework List as participating in”

this bridge. If there is a violation from an organisation in the United States that is picked up by the Information Commissioner in the United Kingdom, what happens next? Who does what, in terms of prosecuting the organisation in the United States for wrongfully dealing with that data? Who is liable? At a corporate level, where is this dealt with? Is there some sort of corporate veil to the US company which means that the UK company is not liable? How in companies law will this operate? It seems to me that there is not the information here to answer those questions and I wonder, frankly, whether they have actually been considered.

It is quite clear that this could not have happened without the hard work and endless negotiation of the EU-US group. This rides on the back in a rule-taking process that I suppose we are going to have to get used to as things go forward. My noble friend’s point about Schrems is very true; Schrems III is coming soon, so what will the Government’s position be if it finds against the EU part of this bridge? Will we also automatically cancel the bridge? How does that then affect companies that have already transferred their data and made that decision?

There are couple of ancillary questions which are, I guess, slightly off the wall. There is an industry in this country that involves having servers and creating a UK-based server place as a safe harbour for British data. I assume the department has done an analysis of the industrial effect on those servers, because clearly many of them will be no longer needed, and data can be sent back to the United States rather than living in what are euphemistically called “clouds” but are actually server farms in the United Kingdom.

I have a final question. As the Minister knows, political parties tend to knock on doors, collect data and put that data into databases. Can he tell us what the position is on electoral databases in terms of using US-based servers to retain that data? At the moment, that is not done. Will political parties be able to move that data from servers in this country to perhaps their counterparts, assistants or supporters in the United States, in order to do analysis, targeting and whatever, or do the current rules of safe harbour still exist for electoral data?