Leaving the EU: Data Protection
Debate between Mark Tami and Daniel Zeichner(6 years, 6 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Daniel Zeichner (Cambridge) (Lab)
It is a pleasure to follow my regional neighbour, the hon. Member for Chelmsford (Vicky Ford). May I congratulate my hon. Friend the Member for Warwick and Leamington (Matt Western) on his excellent maiden speech? He started by suggesting that he was going to talk about happiness, which is something that we could all do with much more of, and then quite rightly began to reflect on the everyday experiences of his constituents which, sadly, involve less happiness. He did manage to conclude on a positive and optimistic note for the future. I congratulate him on his contribution and on choosing to make it in a debate in which, as we have heard, the stakes are so high. When the public voted last year, I doubt that any of those who voted leave were actually voting to make data transfers more difficult, to make business more complicated, to stop the planes flying, to find video games unplayable and to find regularly used websites suddenly becoming unavailable. If 29 March 2019 is exit day, as some parts of the Government say on some days of the week, April fool’s day 2019 will be a day when the papers really will not have to make it up.
Some have described the movement of data across Europe as the fifth freedom. In fact, my hon. Friend the Member for Cardiff West (Kevin Brennan) made exactly that point. I suspect that most of us, and most of our fellow citizens, are only dimly aware of what actually happens to our data, but it does really matter. The design, extent and provisions of the British data protection framework will have profound implications for the nature of UK-EU trade relations. Today’s debate is particularly timely given the proceedings on the Data Protection Bill that are already under way in the other place. It is vital that we get this framework right.
I chair the all-party group on data analytics, and I have seen at first hand the way in which data has moved to the centre of every sector. Wherever we go, people are talking about data. I hope that the Minister will accept an invitation to meet the all-party group fairly soon to talk about how we can build awareness not just of how transformational this is likely to be, but of how complicated it will be to ensure that we get it right.
As we have heard, data is an increasingly valuable commodity, with the UK conducting three quarters of its cross-border data exchange with the European Union. The EU data economy was worth €272 billion in 2015 and has continued to grow rapidly since.
We have played a key role within the European Union in developing the GDPR, which will come into effect in the UK from May 2018. The European Commission proposed this new legislative framework back in January 2012 as an update and a levelling mechanism to protect citizens across Europe. It has taken five years of discussion and hard work for the regulation to be agreed. This significant measure for the UK does a number of things. It significantly widens the definition of personal data, transforms the notion of consent, carries severe fines for companies in case of non-compliance and fundamentally alters the way in which companies can store and process personal data.
Back in February, the Minister told the House of Lords EU Home Affairs Sub-Committee that the GDPR was a “good piece of legislation”, and I welcome the Government’s sensible decision to adopt the GDPR into UK law. But, as many have pointed out, there are problems ahead, not least with some elements of the relationship with the Investigatory Powers Act 2016. Both techUK and Ukie—the Association for UK Interactive Entertainment—which covers things such as video games, highlighted that concern when the Government published their paper in August, and both noted that the paper did not address an issue that the Government knew to be problematic.
Why would it matter if data flows were interrupted? Well, we are good at data in the UK. Our digitally intensive industries account for 16% of gross value added, 24% of total UK exports and 3 million jobs. The digital sector is growing 32% faster than the national average. We are at a significant competitive advantage in the digital economy. At 10% of GDP, the digital economy makes a larger contribution to our economy than that in any other G20 country, so it really matters to us. Beyond that, it is a vital enabler in the overall UK economy and society. We are increasingly digitised, with all sectors increasingly reliant on data flows. They underpin retail, health, finance, manufacturing and the automotive industries, to name just a few. The Government have confirmed that:
“Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”
That confirms that they do understand and appreciate the importance of data protection.
Additionally, data flows benefit consumers, allowing innovation in products and services, streamlining performance in industry and improving global communication. They reduce business costs, leading to more investment in research and development, and improve productivity. In some ways, the problem is that our membership of the European Union gives us special advantages. In a profound irony, we actually have more control over our own privacy regime when we are within the European Union than we will have when we are outside it. Let me explain how that comes about.
Outside the EU, we become a third country in terms of our relationship with the European Union. The Government say that the best way forward is an adequacy agreement, or something akin to one, which would need to be secured with the European Commission. There are alternatives, but they are difficult, unstable and particularly ill-suited to UK businesses, especially small and medium-sized enterprises. The large corporations may be able to manage, but the small businesses will not. UK firms, particularly the start-ups in my part of the country, would have to jump through hoops and hurdles that their European counterparts would not have to. While our companies would be spending time and money agreeing standard contractual clauses with customers, their EU counterparts and competitors would simply be getting on with business.
Mark Tami (Alyn and Deeside) (Lab)
Many smaller companies in particular are not aware of what is coming down the road and what sort of extra work they will have to do.
Daniel Zeichner
My hon. Friend is absolutely right. Much work needs to be done to raise awareness of what the GDPR will mean. That is a challenge, but it is a good thing in general. The worry is that if it will not be available for our smaller companies in the future, that already challenging task will be made even more difficult. In fact, it will be so difficult in many cases that small companies in areas like mine will simply up sticks and go somewhere else where the process is easier.
I fully recognise the points made by Government Members. They understand a lot of this and say that an adequacy decision would be the best possible solution to ensure the
“unhindered exchange of data within an appropriate data protection environment”.
The partnership paper clearly states that future data protection co-operation
“could build on the existing adequacy model”.
If we are to achieve that objective, ensuring the continued alignment of the UK’s data protection framework with the EU’s will be key. That should, therefore, be the primary consideration in any discussion of the provisions of the Data Protection Bill. Any deviation from the provisions of the GDPR could put at risk achieving a successful outcome as we seek an adequacy decision.
We also need to look to the future, because if we do get that adequacy agreement, given the close alignment of UK and EU data protection frameworks, the Government must prioritise ICO involvement in the formulation of future EU data protection provisions. As we have heard, the EU will inevitably update the GDPR as time and technology progress. However, we risk these changes being dictated to us, and a duty needs to be placed on the ICO and the commissioner to maintain regulations that keep the UK adequate with the latest version of EU law. Even if we can achieve that, there is a great irony here, in that we will, effectively, be dictated to—it is not quite the taking back control that some were seeking.
Perhaps more important is that just saying that we would like an adequacy agreement is not the same as actually getting one. We might wish for one, but will we be able to have it? Will others agree? There are various problems, which I hope the Minister will address. The first is time. Obtaining an adequacy decision is feasible only for third countries. It follows that, to get one, the UK will need to have left the EU at the time of the ruling, which leads to the very real danger of a data protection cliff edge. In evidence to one of our Committees, Stewart Room, head of data protection at PricewaterhouseCoopers, said that obtaining such a decision could take “many, many years”. So this week’s talk of no deal is highly risky when it comes to data. The risk of a cliff edge is very real and very dangerous.
Then there is the Investigatory Powers Act. There is a danger that some of our neighbours may no longer be inclined to share data with a country that takes a different view on privacy issues from them. As members of the EU, our different traditions are respected; as a third country, things could be very different. The provisions in the Investigatory Powers Act, and the current investigatory practices in our intelligence services, which allow the police to access personal data such as communications or internet data without a requirement for independent judicial approval or for the issue being investigated to be of a certain seriousness, will be a legitimate concern for some countries in the EU when negotiating an adequacy agreement. Perhaps the Minister can tell us what work has been done on this and what assurances have already been received.
The ruling of the Court of Justice of the European Union in the Watson case with regard to the UK’s surveillance and bulk data retention regime is also important. The Court’s decision stated that the UK’s surveillance and data retention laws—then the Data Retention and Investigatory Powers Act 2014—exceeded the EU’s view of what is strictly necessary and appropriate. That model of retaining communications data is broadly mirrored in the new Investigatory Powers Act—the replacement for DRIPA. It is hardly inconceivable, therefore, that the EU could decide that the UK does not reach its standards for adequacy. On this rather complicated set of issues, I should say that I am grateful to Renate Sampson of Big Brother Watch for explaining some of these points to me.
My next concern was about the European charter of fundamental rights, but it has already been touched on in the excellent discussion triggered by the contribution from my right hon. Friend the Member for East Ham (Stephen Timms), whom I will be supporting in his efforts to secure amendment 151 when we discuss the European Union (Withdrawal) Bill.
There is a further point about that Bill. We know that it is controversial and that there are concerns that ministerial alterations can be made without parliamentary votes. If the GDPR were to be altered during the repeal process, and citizens’ personal data rights were in any way diminished, we could be prevented from being anywhere near the level of protection deemed adequate by the EU. The Information Commissioner has made it clear that for the UK to achieve the gold standard of data protection regulation and enforcement, the right way forward is to fully adopt the GDPR, and that position must be maintained.
UK businesses and organisations have already started preparing for the GDPR, which is good. That should stand us in good stead when it comes to an adequacy discussion. It is vital that we enshrine the GDPR in our law permanently in a clean Data Protection Bill, so that data can still flow, businesses can still run and communications do not just stop. However, it is of the utmost importance that we commit to these rules for the long term and provide certainty for individuals and businesses. The economic consequences of not being able to move personal data would be very serious, with companies having to double-store data. That would take a long time to implement, and it would have serious economic and environmental costs, and run the risk of our not being able to operate properly across borders. It would, at a stroke, put at risk the UK’s place as a global hub for tech and other data-intensive industries. There is a huge amount at stake.
There is, of course, a simple alternative that looks more and more obvious with every passing day to some of us, as Brexit morphs into wrecks-it. But until we reach the point at which sense prevails, I hope that the Minister will share with us information on the work being done, especially on fine-tuning the relationship between the GDPR and the IPA, to ensure that the data keeps flowing and we can remain part of the modern world.