The Minister for Digital and the Creative Industries (Margot James)

- Hansard -

Copy Link

-

I beg to move,

That the Committee has considered the draft Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019.

It is a pleasure to serve under your chairmanship, Mr Evans. Much of our current data protection framework derives from EU measures—namely the General Data Protection Regulation and the law enforcement directive—over which our Information Commissioner’s Office and UK civil servants have had considerable influence.

When the UK leaves the EU, the GDPR will no longer have direct effect on our law. It will however be retained in domestic law through the European Union (Withdrawal) Act 2018. A number of deficiencies will arise in this as a result of our leaving the Union. The purpose of the draft instrument is to ensure that UK data protection law continues to be operable after exit, and that the protections for data subjects and the obligations on data controllers and processors remain in place after we have left the European Union.

Margot James

- Hansard -

Copy Link

-

The right hon. Gentleman makes a valid point. I do not think that it pertains to this particular statutory instrument, but I am sure that if he requested a debate on those important matters, he would find a ready audience of hon. Members to participate in it.

Many of the changes made to the GDPR by the draft regulations are minor or technical, and replace European Union-related terminology with UK equivalents. In my remarks, I will cover a number of more complex issues relating to international transfers of personal data, extraterritorial application of the UK GDPR, regulatory co-operation, and our approach to what is known as “applied GDPR”.

On international transfers, the GDPR and part 3 of the Data Protection Act 2018 restrict the transfer of personal data to third countries, unless certain safeguards are met. One of those safeguards is a third country, or a sector within the country, being deemed “adequate” by the European Commission. If deemed “adequate”, data can flow freely to that country or sector. In the absence of an adequacy decision, data can still be transferred, but the onus is on controllers to make sure that alternative safeguards are in place to provide sufficient levels of protection.

The Commission will not be able to make adequacy decisions on behalf of the UK post exit. The regulations transfer that function and the function of preparing model contractual clauses to the Secretary of State. To minimise any disruption to established data flows from the UK to the EU post exit, the regulations add a number of transitional provisions to the 2018 Act. That includes a provision to continue to treat EU member states, other European economic area countries and Gibraltar as adequate in relation to processing under the UK GDPR.

Similar provision is made for personal data transferred to third countries for law enforcement purposes under part 3 of the Data Protection Act 2018. That permits transfers to third countries where the European Commission has found a country, territory or sector adequate under article 36 of the law enforcement directive. For law enforcement processing covered by part 3 of the 2018 Act, EU member states and Gibraltar will be treated as adequate to preserve the flow of critical law enforcement data to those places.

The provisions included in the regulations will allow UK businesses to continue to transfer data to their partners in the EU without any interruption. We propose to adopt a similar approach for countries that had been deemed adequate by the EU Commission by the time the draft regulations were laid before Parliament. That includes the EU’s decision on companies participating in the Privacy Shield scheme in the United States. Further regulations will shortly be introduced to clarify that personal data can be transferred only to those US companies that have updated their Privacy Shield commitment to include the UK.

The draft regulations do not refer specifically to the EU’s adequacy decision in relation to Japan, which was made after they were laid before Parliament, but we will work with the Japanese Government to consider what, if anything, is required in our domestic law to reflect that development. Where UK organisations rely on standard contractual clauses approved by the EU Commission as an adequate safeguard for transfers to other third countries, further transitional provisions will mean that they can continue to rely on those contracts.

Let me outline the draft regulations’ approach to the extraterritorial provisions in the GDPR. The GDPR applies not only to data controllers based in the EEA, but to data controllers based outside the EEA processing EEA data for the purpose of providing goods and services or monitoring individuals’ behaviour. Where a data controller outside the EEA is systematically processing data of EEA residents, it is required to appoint a representative in the EEA to act as a contact point for EEA supervisory authorities. To ensure that there will be no dilution in data protection standards when the UK leaves the EU, the draft regulations preserve the GDPR’s extraterritorial approach. In practice, that means that the UK GDPR will apply to certain data controllers based outside the UK that are processing data or monitoring the behaviour of data subjects in the UK. We have preserved article 27, which requires data controllers and processors based abroad who are systematically processing the data of people in the UK to appoint a representative in the UK.

Let me turn to regulatory co-operation. Articles 60 to 76 of the GDPR focus on how supervisory authorities in the EEA will work together to investigate data breaches that might affect people in more than one country. They also make provision about the supervisory authorities sharing guidance and best practice through the European Data Protection Board. If the UK leaves the EU without a deal, there will be no automatic right for the Information Commissioner to sit on the EDPB or participate in the GDPR’s one-stop-shop mechanism, so those provisions have been omitted from the UK GDPR. Even with a deal, the automatic right for the Information Commissioner’s Office to sit on the EDPB is not yet assured.

The draft political declaration makes it clear that the EU and the UK should continue to collaborate on data after we leave the EU. The draft regulations will retain article 50 of the GDPR in our law, ensuring that EU and UK data protection authorities will have a common basis for developing international co-operation mechanisms.

I will now outline what our exit from the EU might mean for “applied GDPR”, as provided for by the Data Protection Act. The Act creates a separate regime that provides for standards broadly equivalent to the GDPR to apply to processing activities that are outside the scope of EU law and not covered by parts 3 or 4 of the Act. As a matter of domestic law, the GDPR will not apply directly to any general processing activities when we leave the EU, so we can simplify matters by recreating a single regime for all general processing activities, including those that were previously covered by the applied GDPR. Provisions in the Data Protection Act that created or referred to the applied GDPR have therefore been removed from all relevant legislation. The draft regulations make it clear that the new single regime covers matters outside the scope of EU competence prior to the UK’s departure from the EU. The existing exemptions relating to national security and defence in the applied GDPR will be retained in the merged regime to ensure that the intelligence community can continue to carry out its vital work.

As I have set out, our approach is an appropriate way of addressing the deficiencies in data protection law resulting from the UK leaving the EU. I commend the draft regulations to the Committee.