European Union (Withdrawal Agreement) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Exiting the European Union
Lord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Department Debates - View all Lord Stevenson of Balmacara's debates with the Department for Exiting the European Union
European Union (Withdrawal Agreement) Bill
Lord Stevenson of Balmacara ExcerptsWednesday 15th January 2020
(4 years, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 16-III Third marshalled list for Committee - (15 Jan 2020)
“Reporting of progress on achieving a data adequacy ruling
After section 15 of the European Union (Withdrawal) Act 2018 (publication and rules of evidence) insert— “15A Reporting of progress on achieving a data adequacy ruling(1) A Minister of the Crown must, before 31 June 2020 and every two months thereafter until IP completion day, make a statement setting out the status of Her Majesty’s Government’s discussions with the EU on a future data adequacy ruling.(2) The statement under subsection (1) must include—(a) a report of the discussions carried out to date or since the last report,(b) a declaration of whether, in the Minister’s opinion, a data adequacy agreement can be secured from the European Commission in order to take effect immediately after IP completion day, and(c) the policy of Her Majesty’s Government in the event of a data adequacy agreement not being secured to take effect immediately after IP completion day.””Member’s explanatory statement
This amendment requires a Minister to provide updates on the UK’s discussions with the EU regarding the granting of a data adequacy decision.
Lord Stevenson of Balmacara (Lab)
My Lords, Amendment 32 is in my name and I thank the noble Baroness, Lady Ludford, for her support. I am also pleased to see the new Secretary of State in her place. Although I think she will not respond to this debate, I am sure she is learning from the process and we look forward to further interactions with her in due course, not least the opening Question Time, which I see is now on the timetable—it should be fun.
This is a probing amendment, by which I seek to draw attention to two things. One is the importance of the personal data sector; that may not need to be said, but it is worth reminding ourselves of its importance. The other is the implications for our economy if the Government are unable to persuade the EU to agree a data adequacy decision within the tight timetable that we have. But I also want to raise concerns about the future of this sector in light of the Government’s plans for further changes to the law, some or all of which might reduce the chances of us obtaining a positive data adequacy outcome.
The facts are that 43% of EU tech companies are currently based in the UK and 75% of the UK’s personal data transfers are with EU member states. It is therefore vital that a data adequacy agreement is reached within the timescale proposed under the withdrawal agreement. But quite apart from the timescale, achieving a positive adequacy decision for the UK is not as uncontentious as the Government seem to think. For a start, any adequacy agreement requires the European Commission to consider a wide array of issues, such as the rule of law, respect for fundamental rights, and legislation on national security, public security and the criminal law in that country. As was pointed out during the passage of the Bill, the surveillance practices of the UK intelligence services may indeed jeopardise a positive adequacy decision tout court. But there are particular difficulties and it is worth reflecting on these.
Further modifications of the GDPR, as it was legislated for, are possible in the UK after Brexit using the powers in the European Union (Withdrawal) Act in areas such as rights, principles, definitions, powers of regulators, and fines. This means that the European Commission will have concerns on how secure the adequacy decision will be. Can the Minister say what guarantees will be under consideration in these areas? One problem with the UK’s version of the GDPR is that the Government resisted calls from this side of the House to include the recitals in the legislation. However, somewhat ironically, much of the ICO guidance on the GDPR is linked to the recitals and references are made to all of them. How will the Government square that anomaly whereby, after December 2020, those recitals will relate to the EU version of the GDPR but not specifically to the UK version? It has been argued that several of the exemptions in Schedules 2 to 4 to the DPA 2018 are not mirrored in other EU member states’ national data protection law, such as immigration and national security references, which might diminish the rights and freedoms of EU nationals in the UK. Can the Minister say how the Government will resolve this?
As was discussed at length during the passage of the Bill, the Investigatory Powers Act 2016 and the amount of bulk personal data collected routinely in the UK are generally accepted as a problem. Do the Government have any thoughts on how to address these issues? The status of codes of practice produced by the Secretary of State under the Digital Economy Act 2017 and the framework for data processing by government raises the question of whether the ICO is an independent regulator. Does the Minister accept that this may cause problems for the data adequacy ruling?
There are important provisions within the withdrawal agreement in relation to data protection over the transition period and I accept those. They include the fact that the GDPR and related EU privacy laws will continue to apply in the UK during that transition period and that there will be no immediate change in UK law on exit day. The UK must continue to interpret and apply the GDPR and related EU laws consistent with wider EU legal principles. The UK courts will therefore continue to apply decisions of the Court of Justice of the European Union and changes in EU law through the transition period, though presumably there will not be that many. The CJEU will continue to have jurisdiction in the UK, and decisions on the GDPR may be referred to the CJEU during the transition period.
We have all that as a base, but what happens if either we find that the EU will not grant an adequacy agreement or that it is significantly delayed? The current thinking is that impacted organisations—there will be a lot of them—will need to adopt specific legal safeguards to support the lawful transfer of personal data to the UK and that they will use standard sets of contractual terms and conditions, which the sender and the receiver of the personal data must both sign up to. But SCCs cannot be used to safeguard all transfers, and redress would of course be a civil and not a criminal matter in the courts, with all that that implies. The question is whether the Government have in mind to legislate to provide certainty for this possibility. Can the Minister comment on that?
The Government have ambitious plans, which we broadly support, to respond to increasing concern about the use and misuse of personal data, particularly as these affect children, but also including online trolling, fake news and undue influence on political issues. The Government are also considering how and in what way data companies are covered by competition and other regulations that apply to media companies.
Baroness Barran
As the noble Baroness understands very well, the adequacy discussions will be broader than strictly personal data and data protection, and will cover these issues. It will be our role to explain to and convince the EU of that, which we are confident we can do.
Similarly in relation to immigration data, which the noble Baroness raised, we believe that there are some misunderstandings about how this provision works. Rather than going into that detail tonight, I can write to her on this. However, we are confident that the provisions included in the Act are fully compatible with EU law, although clearly we recognise that they will be closely scrutinised.
The noble Lord, Lord Stevenson, asked about the independence of the Information Commissioner’s Office. We believe that the ICO is a strong, independent and effective regulator and that its relationship with DCMS upholds that independence. We really do not have concerns that this will be an issue in relation to adequacy.
The noble Baroness referred to the opinion received today from the Advocate-General of the EU; as she said, the opinion is non-binding and the impact will happen only when we have the court’s judgment, although I note her comments on the probability of that. Since the opinion was published only a few hours ago, my officials are currently digesting it, so noble Lords will understand that our ability to comment on these proceedings is limited.
The noble Lord, Lord Stevenson, asked about recitals in the future UK GDPR which still include the EU terminology. Recitals are non-binding in both EU GDPR and future UK GDPR. They are there only as an aid to interpretation and we do not believe that the references to the EU will be confusing.
The noble Baroness, Lady Ludford, referred to the Schengen Information System. I understand that the House will discuss the UK’s access to several EU law enforcement databases on the next amendment. If she will permit it, I think it would be easier to return to that question then.
Both noble Lords asked what will happen if an adequacy decision has not been granted at the end of the implementation period. Obviously both sides have committed clearly, and it is an absolute priority, to make this work, but in the event that an agreement is not reached, the Government have already done a huge amount around no deal, working proactively to communicate companies’ responsibilities in this area—particularly in relation to smaller companies, which we know might find this more challenging. The Information Commissioner’s Office produced a portal to support organisations preparing the standard contractual clauses referred to by the noble Lord, Lord Stevenson.
I fear that time may not permit me to answer any more questions but I will endeavour to write and cover all the important points made. I hope that I have managed to reassure the noble Lord that, once adequacy discussions are under way, both Houses will continue to use all the available scrutiny tools at their disposal to ensure that they are absolutely appropriately informed on the Government’s data adequacy progress and policy. I hope that he will feel able to withdraw his amendment.
Lord Stevenson of Balmacara
Before the Minister sits down, I hope that she can respond to one section of what I was asking about, on the interaction between existing responses to the data adequacy question and the new legislation that the department is working on. Does she feel that the new legislation as previously conceived—and, indeed, as set out in her party’s manifesto—is being progressed and that there is no adverse fallout from that?
Lord Stevenson of Balmacara
My Lords, I thank the noble Lords who have contributed to this short but good debate. It was a robust response. I thank the Minister for the various points that she was able to cover and I look forward to her letter.
I did not raise it, but sitting a bit behind those on the Benches opposite is the question of why such a mess was made on the age-verification issues relating to children’s safety online. In a sense, that is why I asked about future policy in relation to where we were. This is a moving target. I do not want to be critical about this in any sense because it is right that we keep things moving and do not stick on where we were, in some sort of pre-Brexit mode. We must move forward. Life is changing, attitudes are changing and technology is moving forward at a huge pace.
We must be ready to anticipate that but it must not be at the expense of some hard-won decisions that were reached after a lot of debate. They were good decisions in relation to the Bill; both the Home Office and DCMS were heavily involved in them and I am sure that they are joined at the hip over this wonderfully named data adequacy hub. I wish it well in its future negotiations; I am sure that it is raring to go and that it will be very successful.
That leaves us with a bit of an information gap. Yes, the existing arrangements for getting information can be used, but they are never as efficient or effective as the Opposition want and are probably too frequent and difficult for the Government to respond to. How much better if we had a plan where we could say, “Every two months, you’re going to stand up and say something about it.” Perhaps we can make this work but I hope that this important issue is kept very much at the forefront of the department’s work, that there is an all-government response to this because it applies across the piece, and that we see something positive come from it. With that, I beg leave to withdraw the amendment.