Leaving the EU: Data Protection Debate
Full Debate: Read Full DebateMatt Hancock
Main Page: Matt Hancock (Conservative - West Suffolk)Department Debates - View all Matt Hancock's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Commons ChamberI beg to move,
That this House has considered Exiting the European Union and Data Protection.
The digital revolution through which we are living is bringing about the fastest pace of change that any generation has ever seen. With advances in technology accelerating, it is likely that this current pace of change will be the slowest that any of us will experience probably for the rest of our lives. This vast change brings with it big opportunities. We have opportunities to communicate, innovate and organise in ways that were simply inconceivable just a few short decades ago. It also brings with it challenges: to harness the technology for good; to mitigate harm; and to make sure that everyone can benefit.
Underpinning this revolution is the fact that the cost of storing and transmitting data has collapsed faster than at any time since the invention of the printing press, and perhaps at any point in history. The new technology then cut the cost of storing information from the cost of a handwritten manuscript to the cost of print, and the revolution now has cut the cost from that of print to the almost infinitesimally small cost of data storage. Data is therefore the fuel of this new digital economy, and getting the rules on data right is mission-critical for strength in the future.
As well as being fuel for change, data is a massive stimulant for our economic growth, jobs creation and innovation. The UK has Europe’s largest and most dynamic digital economy, attracting approximately £28 billion in technology investment since 2011. The UK also has the largest internet economy of all G20 countries, emphasising the fact that data is rapidly transforming our lives, and creating exciting and innovative opportunities right across the world. The impact is, of course, much broader than just in the tech industry itself. Data underpins social interactions: a Skype call to a family member on the other side of the world; our cultural collaboration, as performances are broadcast across borders; and almost every other part of economic activity, and almost all trade. The importance of the digital economy as a catalyst for job creation and innovation continues to increase exponentially, so it is vital that data is kept secure. Our approach to data protection as we leave the EU is straightforward: we wish to ensure the unhindered free flow of data between countries, if that data is held securely and privacy is respected.
I very much agree with the points that the Minister is making and the ambition he is setting out. Will he commit to securing an adequacy agreement from the EU, so that the free flow of personal data, which he rightly says is important, can continue?
I pay tribute to the right hon. Gentleman’s extensive understanding of these issues, not only from his time as a Minister but since. His understanding is so good that he has correctly anticipated the next page of my speech. That is exactly what we are seeking, because it is strongly in the mutual interests of the UK and the rest of the EU that such an arrangement is put in place.
Having just set out my punchline, perhaps I can describe the build-up to it. The goal is for data to be unhindered when security and privacy are respected. It must be unhindered, so that trade and communication can be effective and so that we can innovate in the use of information, including through advanced techniques such as machine learning and artificial intelligence. But data can be unhindered only where it is appropriate for it to go—with data held securely and privacy respected—which means where there are high standards of cyber-security and data protection.
On cyber-security, the 2017 British Chambers of Commerce digital economy survey reveals that at least one in five UK firms were subject to a cyber-attack in 2016, with larger firms more likely to be hit. As more and more citizens, and the wider economy, rely so heavily on digital technology, it is vital to keep data safe from cyber-attack. On the other side of the coin from strong cyber-security is strong data protection. The UK has been a world leader in data protection for a long time, combining privacy with support for dynamic data-driven innovation. We are determined to ensure that, after our exit from the EU, the UK remains a global leader, promoting both the flow of data internationally and high standards of data protection.
For more than a generation, the Data Protection Act 1998 has been regarded as the gold standard in the world. That Act, which was based on European rules set out in 1995, was the result of a piece of work that started under the then Conservative Government, with the legislation enacted by the subsequent Labour Government. That demonstrates the cross-party approach that has been taken to data protection in the UK. Technology marches on, however. It is almost 20 years since the 1998 Act, but the legislation needs to be kept up to date in this changing world. The Data Protection Bill, which had its Second Reading in the other place earlier this week, will modernise data protection legislation, giving citizens more rights over their data while allowing businesses to use modern data management techniques. It offers greater transparency and accountability, thus giving people more reassurance about how their personal data is used by businesses and organisations. Increased accountability and public confidence in how data is used can enhance the digital economy for the benefit of all.
To return to the point made by the right hon. Member for East Ham (Stephen Timms), the Bill will prepare Britain for Brexit. It will extend the EU’s general data protection regulation—GDPR—and bring into UK law the law enforcement directive. It will extend the principles of GDPR into many areas of our domestic law, which will help to ensure that we prepare the UK for the future after we have left the EU. The implementation of the Bill will ensure that we preserve the concepts of the Data Protection Act that have served us so well. We will aim to ensure that the transition for businesses, individuals and charities is as smooth as possible, while complying with the GDPR and the law enforcement directive in full. That means we will be as well placed as possible to achieve the unhindered flow of data with the EU through something akin to the adequacy deal mentioned by the right hon. Gentleman. That is strongly in the interests of both sides in the negotiation.
The Minister said “something akin” to an adequacy deal. Will he explain what that might mean?
Yes, of course. Our future relationship with the EU will be bespoke. We want to make sure that the flow of data is unhindered, so we effectively seek an adequacy deal, but that is currently scheduled to be negotiated as part of the future relationship. Whether it is enacted through the formal EU mechanism of an adequacy deal or as part of the negotiation is, in a sense, immaterial. What matters is the unhindered free flow of data between the two regimes.
No one would dispute the worthiness of the Minister’s intentions, but the UK will none the less cease to be a member of the EU’s safe data zone following Brexit, which will make it more difficult for banks and other businesses to transfer data between the two jurisdictions. Will the Minister give some reassurance to businesses that are having to make decisions between now and Christmas and into the first quarter of the new year that we will secure the transitional arrangements that businesses need and thereby give them certainty that they will be able to continue to operate as they do now, not only when a deal on our future relationship is signed, but in the crucial transitional period?
That is our objective, but I have one difference with the premise of the hon. Gentleman’s question. He said that our leaving the EU will make things more difficult, but that is not necessarily so, because we seek a relationship that, in terms of the unhindered flow of data, is as high quality as the one we have now. We of course need to secure that as part of the negotiations, and we need to secure it as part of the transitional arrangements as well. Indeed, as we set out in a paper published in August, we are looking at an enhanced mechanism that is not just the normal adequacy deal that other third countries have, but one that enables continued technical engagement between the Information Commissioner and European bodies to ensure that our technical capabilities can continue to inform the future development of data protection standards inside the EU. I did not simply say that we seek an adequacy deal full stop, because we are looking into having a deal that not only reflects a normal third-country adequacy deal, but goes further and ensures that we have a stronger technical relationship between our regulator, the Information Commissioner and the European regulators.
The UK has more than 10% of data flows, more than three quarters of which are with the EU, and more than 40% of the data centres in Europe are in the UK, so does the Minister agree that it is in the interests of European businesses to secure data adequacy—or data adequacy within a new free trade agreement—as well as in the interests of British businesses?
I agree wholeheartedly and strongly with my hon. Friend, who is an expert in these matters, having just arrived in the House from the European Parliament, where she was a rapporteur on some of the key committees that made a number of the important decisions in this policy area. She is absolutely right. The unhindered flow of data will take place between two regimes that are harmonised, because we are bringing into UK law the GDPR, which is obviously European legislation. It is in the strong interests of the UK and the EU to ensure the unhindered free flow of data after Brexit.
I thank the Minister for so generously giving way. I just wanted to press him on the point that he made about the engagement that will happen at a technical level. In practice, does that mean that our standards will be maintained in tandem with those in the EU, and that therefore there will be no difference between the two?
What it means is that the arrangements are harmonised right now. Should the Data Protection Bill become an Act, as I sincerely hope it will—it does have cross-party support—our existing arrangements at the point of exit will be harmonised. What happens after that will depend on the negotiation of our future relationship, with the UK being sovereign. The point is to ensure that the technical details are informed by high-quality UK technical considerations and the capability of the Information Commissioner’s Office. This is, of course, subject to negotiation. We set that out as something we wanted to consider when we published the paper in the summer, but, as the right hon. Gentleman may have heard, we are not yet on to negotiating our future relationship, although we are looking forward to that happening.
During the summer, we published the future partnership paper, which sets out how we ensure the continued protection and uninterrupted exchange of personal data between the EU and the UK. The purpose of setting that out was to offer stability and confidence to businesses, public authorities, charities and individuals. My message to business in particular is very clear. We understand how important this matter is. We know that it is in the strong self-interest of the UK and the EU to get a good deal that involves the unhindered free flow of data. The new partnership should protect the privacy of individuals and respect the UK’s sovereignty, including the UK’s ability to protect the security of its citizens and to maintain and develop its position as a leader in data protection. Ensuring that we protect privacy while also allowing for the innovative use of big data so that the UK can be a world leader in artificial intelligence are the joint goals of the Data Protection Bill.
On the point about what the general data protection regulation provides as an opportunity, does the Minister recognise that it will actually be implemented through a statutory instrument under the European Union (Withdrawal) Bill? Does he agree that we should therefore have a debate in the House on that SI when we get the opportunity?
I am sure that the Under-Secretary of State for Exiting the European Union, my hon. Friend the Member for Worcester (Mr Walker), will have heard that point—this is a bit like a return to business questions from earlier. Parliamentary procedure is a matter for that Bill, but the hon. Gentleman has made his case. It is very important that the element of the GDPR that is directly applicable and therefore not in the Data Protection Bill is brought into UK law. However, we have designed the Bill so that that can slot directly in, meaning that once we leave, the UK should have a fully consistent, full-spectrum data protection regime under our legislation.
The new relationship should also not impose unnecessary additional costs on businesses and must be based on the objective consideration of evidence. Furthermore, because many of these issues are technical, we will continue to seek ongoing regulatory co-operation between the EU and the UK on current and future data protection issues. By doing that, we will build on the opportunity of a partnership between global leaders on data protection and continue to protect the privacy of individuals. As the paper that we published in the summer reiterates, it is important that we provide clarity and certainty for businesses and individuals as soon as possible, so that data flows are not disrupted when the UK leaves the EU. In addition, this is part of a wider global debate about the flow of data, because it is also incredibly important that we get right our data relationship with the United States, Japan and others.
The Minister is being very generous with his time. I am sure that he is aware that the people of Gibraltar are concerned about the impact of the disruption of data flows. Gibraltar holds many data servers, and people there are very concerned that there might be longer-term impacts on their businesses. Can the Minister say anything about that?
Gibraltar is, and will continue to be, part of the United Kingdom. The Under-Secretary of State for Exiting the European Union leads on issues relating to Gibraltar. He will have heard those concerns and will be able to respond to them in detail. In a sense, all this shows why it is so important to get this agreement right.
I am glad that I gave the right hon. Gentleman the opportunity to do so.
A strong relationship on data is beneficial to citizens as it will reassure them that their personal data is subject to robust protection. Maintaining the flow is also important. Once we have left the EU, we will continue to play a leading global role in the development and promotion of appropriate data protection standards with trading partners right around the world.
I am glad that the Minister is committed to seeking this adequacy agreement. Does he recognise that one step that will make that a bit harder—perhaps significantly harder—is the fact that under the terms of the European Union (Withdrawal) Bill, article 8 of the European charter of fundamental rights will no longer be part of UK law? That creates uncertainty about how our data protection law will work. Appeal decisions frequently refer to the actual article, which is part of UK law at the moment. Will he therefore support amendment 151 to the Bill, which would oblige the Government to put back into law the clear assertion that everyone has a right that their personal data is protected?
I thought that the right hon. Gentleman might raise that. I understand his amendment and the reason behind it, which is to ensure that what we are trying to achieve is achieved. However, the removal of the charter from UK law should not affect the substantive rights of individuals when their data is processed, because the charter is not the source of the rights contained within it. The charter was intended only to catalogue rights that already exist in EU law. As he knows, there is not a charter of fundamental rights in the same way in UK law, and it is not necessary. Although I agree with the purpose and intent of what he is trying to achieve, which is to make it as likely as possible that we achieve the adequacy deal and the high-quality arrangements that we are seeking, the amendment is not necessary because of the nature of the charter.
I hope that I have managed to answer Members’ questions. Although I look forward to the debate, I think that we can see strong cross-party agreement on the importance of a high-quality data relationship with the EU once we have left, on ensuring that that works for citizens, businesses and individuals, and on ensuring that we can build on that relationship, which underpins so much in our modern economy.
First, let me apologise for my right hon. Friend the Member for Birmingham, Hodge Hill (Liam Byrne) who has recently joined our team and would normally be speaking on these matters. He is currently fulfilling a prior obligation to speak at the Council of Europe in Strasbourg. It is nice to have him on our team as we served together in the Cabinet Office in government, along with my hon. Friend the Member for West Bromwich East (Tom Watson), and we all look forward to serving in government again very soon in the Department for Digital, Culture, Media and Sport.
If I may, I will just correct the Minister, who inadvertently misinformed the House. Of course, Gibraltar is not part of the United Kingdom. It is an overseas territory. It is technically part of the European Union, although it is obviously excluded from the customs union and the common agricultural policy.
The hon. Gentleman is quite right. Of course, Gibraltar is part of the UK family. I should have been clearer about that, but I am glad that we have cleared that up.
As ever, the Minister is modest enough to accept when he makes a mistake and correct the record.
There are few debates that are more important than those concerning trade, especially in the context of the decision of the UK to exit the European Union with all the impact that that could have on the UK economy. As the Minister quite rightly said, in the 21st century there is nothing much more important to trade than data. As we have heard, 43% of EU tech companies are based in the United Kingdom and three quarters of the UK’s cross-border data flows are with other European Union countries. These data flows are essential for UK trade. Approximately half of all trade in services is enabled by digital technologies and the associated data flows.
Effective modern data protection laws that set down strong rights and protections are vital if the public are to have any trust in the use of personal information within the digital economy, the delivery of public services and the fight against crime. Ensuring that the public can trust that their data is handled safely, whether in the public or private sector, is important for us all. We need to get the Data Protection Bill right—as the Minister pointed out, the Bill has been introduced in the other place and is there as we speak—to implement the new European Union rules on data protection contained in the general data protection regulation. If we do not get it right, people will not benefit to the fullest extent from the new digital services that are coming online all the time. I am sure that the Minister will be pleased that the Opposition welcome the Bill. We deeply regret that the Government opposed our previous attempts to strengthen data protection at the time of the passage of the Digital Economy Act 2017, just a few short months ago, but better late than never. In scrutinising the Data Protection Bill, we will ensure that it is not too little, too late.
So far, the Government have talked the talk about their commitment to unhindered, uninterrupted data flows post-Brexit, but the Data Protection Bill does not really set out fully how they plan to deliver on that promise. Even if the Bill succeeds in bringing UK law into line with the EU’s data protection framework by the deadline of 25 May 2018, it does not necessarily mean that the Bill provides for the future. On leaving the EU, the Government will need to satisfy the European Commission that the UK’s data protection framework provides an “adequate level of protection”. The Government and the Minister today seem to be saying that achieving a positive adequacy decision will be easy, but it might not be as easy as the Minister indicated.
Under article 45 of the general data protection regulation, the European Commission is required to consider a number of issues including, among other things, existing surveillance practices. As Lord Stevenson said in the other place on Tuesday, several commentators have indicated that the current activities of British intelligence services could
“jeopardise a positive adequacy decision”
since data protection rules
“do not offer an equivalent standard of protection to that available in the rest of the EU.”—[Official Report, House of Lords, 10 October 2017; Vol. 785, c. 129.]
Lord Stevenson asked the Government how they might square this circle, but unfortunately received no answer. I understand we will have the intense and unusual pleasure of a second contribution from the Minister in this debate—I foreshadow that by indicating to the House that I will also seek permission to respond on behalf of the Opposition in a similar fashion—so perhaps he could answer that question during his closing remarks.
The Government seem to have lost sight of the need to ensure continuity during the transition period and beyond. They must have measures in place to reassure all those businesses that have taken advantage of the UK as the gateway to Europe that they will pass the adequacy test and ensure that stability and certainty. Given that we need a new data protection regime for sharing data across the channel and the Irish sea, we may as well get this new regime right for consumers as well as businesses. At a time of increasing concern about the misuse of personal data by certain companies, is not there a need for a far more stringent regulatory structure than that contained in the Data Protection Bill?
Colleagues in the other place have already remarked that the tech giants that dominate the digital economy and the market for data have, for too long, got away with portraying themselves as purely neutral platforms. They are not, as each of their business models—not to mention their share value—is predicated on the data flows that they generate and monetise. It has become a cliché, but in a very real sense data is the new oil in the economy.
We should also speak about children in the context of data protection. The Minister did not mention this part of the Government’s plans in his remarks, but I hope he refers to it when he sums up. Children and young people are at the leading edge of the online world, with 75% of 10 to 12-year-olds and 96% of 13 to 18-year-olds using social media sites, with Facebook ranked at the top. Sadly, this has resulted in children and teens being treated as data assets by business, with their personal data stolen and sold without informed consent on a regular basis. That cannot be right. The Data Protection Bill represents an opportunity to right this wrong, but the current drafting of the Bill does not give us much cause for hope in that area.
The Government have chosen to derogate from the general data protection regulation, as the Minister mentioned, by setting the minimum age for a child consenting to the processing of personal data at 13 years of age, rather than 16. Why have they chosen to derogate in that fashion? As John Carr, a member of the executive board of the UK Council for Child Internet Safety, which was set up under the last Labour Government, has noted, perhaps the age of 13 was chosen because when Ireland—where the big social media companies are based—decided on 13 years of age, the UK’s decision was all but irrelevant. Does the Minister agree with that? If that is not the case, what is his explanation for why the Government chose to make this derogation? They claimed in their statement of intent published in August:
“Child online safety is one of the top priorities for this government”.
If so, 16 would have been a better age, as Sonia Livingstone, professor of social psychology in the department of media and communications at the London School of Economics, has argued.
Some people might argue that a lower minimum age is good for younger people’s participation in the digital world, but evidence from the regulator, Ofcom, shows quite clearly that fewer than half of 12 to 15-year-olds can identify an online-sponsored result, let alone understand how companies exploit their personal data. If the Government insist on staying the course with regard to this derogation, they must at the very least guarantee to the House today that they will ensure a significant increase in media education and digital literacy among young people. I hope that the Minister will refer to that in his response. This returns us to the responsibilities of social media and other online businesses.
While we may debate where the minimum age of consent should be fixed, the fact that the Bill does not place any requirements on these companies to prevent under-age access to their services is a glaring oversight, especially from a Government who claim that child online safety is one of their top priorities. The Leader of the House so memorably described Jane Austen in this Chamber not so long ago as
“one of our greatest living authors”—[Official Report, 20 July 2017; Vol. 627, c. 1004.]
To paraphrase Jane Austen, it is a truth universally acknowledged that the Government are making a complete Horlicks of the article 50 negotiations, as we saw again just this morning. At least, they have now taken up our policy.
Just on a point of English language, it is clearly not a truth universally acknowledged, because I do not acknowledge it.
Well, at least the Minister did not claim that Jane Austen was our greatest living author—I will give him credit for that.
I give the Minister and the Government credit for taking up our policy of having a transitional period with regard to Brexit to give themselves a little more time. The price of getting data protection wrong would obviously be enormous, because so many companies rely on transmitting data across the single market.
For many years, we have talked of the four freedoms—the free movement of goods, services, capital and people—but there is a fifth freedom, because, in reality, we have created one of the world’s leading regimes for data transfer, which has allowed our tech companies to grow, flourish and prosper. It would be a disaster if any division, dithering or incompetence around the Brexit negotiations now imperilled that achievement.
The Government have set themselves a very tight schedule for passing the Bill into law before the end of April 2018. As I have indicated, the Opposition will support the main principles of the Bill, but there is a great deal of work still to be done, with several areas needing to be scrutinised, and the Government need to be prepared to amend the Bill to rectify some of the inadequacies I have indicated during my remarks.
All of us in this place owe it to the public, and especially to children, to get this legislation right. We cannot afford to fail just because of the dysfunctionality at the heart of the Government, and I hope the Minister will not be complacent on that score.
At the start of this week, the Prime Minister told the United Kingdom to be prepared for the possibility of a no-deal Brexit. The warning was clear and unambiguous that with gridlocked negotiations a no-deal Brexit was becoming increasingly likely. Of course, the effects of a no-deal Brexit would be catastrophic. The consequences for our economy, our trade and our EU citizens are obvious, and they have been well documented. Less obvious, and among the multitude of hugely important issues that rarely make the headlines, is the impact on data protection of the UK leaving the European without a deal.
Data protection has been described by The Economist and others as:
“The world’s most valuable resource”.
The hon. Member for Cardiff West (Kevin Brennan) described data as “the new oil”. Currently, the UK Government define data protection as the controls on how personal information is used by organisations, businesses or the Government. Everyone responsible for using data has to follow strict rules, and they must make sure that the information is used fairly and lawfully. Information that is held on individuals can include their name, address, credit history, employment history, salary details and even internet browsing history. I am sure that right hon. and hon. Members would wish some, if not all, that information to remain as secure as possible. Robust and strict data protection is therefore absolutely essential to avoid any improper use of that information, whether for online fraud or identity theft, and to keep it from falling into the hands of people or organisations with which we would rather not share it.
Data protection may not be something that we think about every day—indeed, it may not even cross our minds from one year to the next—[Interruption.] Perhaps that is not the case for my hon. Friend the Member for Glasgow North (Patrick Grady). Whether we think about data protection on a daily basis or not, its importance is not diminished. That is why it is absolutely vital that the level of data protection we currently enjoy as EU citizens is guaranteed on day one of Brexit, so that businesses and individuals can continue to rely on existing data flows. It is no exaggeration to say that millions of jobs across Europe rely on data protection and data processing to a greater or lesser extent.
As the Minister acknowledged, the security we receive from our data protection legislation already has a distinctly European flavour, originating as it does from the 1995 EU data protection directive, which was adopted into UK law in the Data Protection Act 1998. Since then, the way in which we create, collate, access and use data has changed enormously, as has the amount of data we create as individuals and as a society. In recognition of that, in 2016 the EU introduced a new legislative framework for data protection: the general data protection regulation, of which we have heard so much, and the police and criminal justice directive. Both those pieces of legislation form the basis of the Data Protection Bill that is in Committee in the other place. The regulations will apply in member states from 2018, and EU member states are required to transpose the directive into national law by the same date.
The Scottish National party agreed with the Minister when he said in February that the GDPR was a “good piece of legislation”. We were pleased that it was included in the Queen’s Speech and that the Government made it clear that our current data protection framework would be amended and made compatible, so that we can adopt the new regulations. We very much welcome the Government’s move to implement the GDPR, giving people more power and control over their own data.
In normal circumstances, I believe that that piece of legislation would be relatively uncontentious. However, as it has done and I believe it will continue to do, Brexit makes the subject of data protection hugely problematic. If we are to leave the EU in March 2019, what is the future for our newly agreed and freshly implemented cross-border, pan-European arrangement with our EU partners? What will be the consequences for businesses and individuals if the UK suddenly finds itself on the outside without a deal to continue the free flow of data not just with the European Union, but with the safe nations with which the EU has secured a reciprocal deal? At a stroke, could the United Kingdom lose its right to exchange data with the United States, a nation on which the Secretary of State for International Trade and President of the Board of Trade seems to be pinning so much hope for our future trade?
We are in an era in which geographical boundaries for data do not exist. Today, as probably every speaker in this debate has said, almost half the large EU digital companies are based in the UK, and a remarkable 75% of cross-border data flow out of the UK is with EU countries. We also have significant data flow with the United States, which occurs because we enjoy access to the EU’s privacy shield agreement. There is no such thing as sovereignty where data is concerned. Currently, we are a signed-up member of an international network committed to safeguarding data. In this global economy, the unfettered free flow of data across international boundaries safely and without delay, cost or detriment is absolutely essential, not just for individuals and businesses but for agencies that need to work across international boundaries. We have heard about many of those agencies today, and they deal with matters such as crime prevention, disease control and national and international security.
For the UK to be able to take full advantage of the continued free flow of data with the rest of the European Union post Brexit, the most straightforward route would be for the EU to issue an adequacy decision. An adequacy decision, as we have heard, is given to a third country—a country that is outside the EU and the EEA—to allow it to operate securely and freely within the framework of the GDPR. It can be given to countries that meet the required standard of data protection, a criterion that currently applies to the United Kingdom. The problem is, however, that an adequacy decision is designed for third countries, and the UK is not—yet—a third country. Indeed, it will not be one until the end of the Brexit process. There is no existing legal mechanism to enable the EU to award an adequacy decision to a country in advance of its leaving the EU. As the leading data protection lawyer, Rosemary Jay, said, the EU has to go through a legislative process, and it is simply not in the EU’s gift to do this in an informal way. I cannot comprehend what the Minister meant when he said that he sought “something akin to” an adequacy deal.
The negotiation of the EU’s future relationship with the UK is not some sort of informal approach; it is a very formal set of talks. We hope that it will lead to a good deal, which we hope will include this area. That is exactly what I meant.
I thank the Minister for his point, but I stress again what Rosemary Jay said: the Commission has to go through a legislative process, and it is not within the EU’s gift to do this in an informal way. There could be a further complication in the UK’s achievement of an adequacy decision. As the hon. Member for Cardiff West said, ahead of granting an adequacy decision the European Commission is obliged to consider a variety of issues, such as the rule of law, respect for human rights and legislation on national security, public security and criminal law.
That being so, there is a very strong suggestion that the Investigatory Powers Act 2016 may jeopardise the ability of the UK to receive a positive adequacy decision. The Investigatory Powers Act has already been accused of violating EU fundamental rights. Eduardo Ustaran, the internationally recognised expert on data protection law, has said:
“What the U.K. needs to do is convince the Commission—and perhaps one day the European Court of Justice—that the Investigatory Powers Act is compatible with fundamental rights. That’s a tall order”.
While the Government are understandably desperate to secure an adequacy decision, the harsh reality is that a lengthy and challenging legal process may have to be undertaken before that happens.
I fear the Government are in denial about this. Indeed, when questioned by the Culture, Media and Sport Committee back in February about what would happen on the day after Brexit if we do not have an adequacy decision in place, the Minister said:
“we seek unhindered data flows but we want that to happen in an uninterrupted way—that is to say, on the morning on which we have left the European Union, it is very important that our data rules work, so that there is an uninterrupted system in place”.
He is absolutely right—I could not agree more—but that did not answer the question about what happens if we do not have such an adequacy decision in place on the day we leave.
Just yesterday, at the Digital, Culture, Media and Sport Committee, I asked the Secretary of State a very similar question about the need to have an adequacy decision in place when the UK leaves the EU. Her answer was that she was
“very hopeful of getting that deal”.
I am sure she is and I wish her well, but at the moment there is no deal in place. The longer negotiations are at a stalemate, while we continue without the legal mechanism to get a third country deal, and, given the issues in relation to the Investigatory Powers Act, securing the agreement the UK needs and absolutely desires is becoming less and less likely.
Another potentially huge problem arises if we do not secure an adequacy decision by the day on which we leave the European Union, because not only will we be outside the EU and isolated from the other 27 member states, but we will also be outside the EU-USA privacy shield agreement. The consequences of that happening may be unthinkable for UK businesses and individuals, but it is absolutely incumbent on the Government to think the unthinkable and to be adequately prepared for it. Putting all their eggs in the one basket of hoping to secure a negotiated adequacy decision is a very high stakes game, so I again ask Ministers: where is the plan B should there not be an adequacy decision? What assessment has been made of the UK not having such a decision in place on the morning on which we leave the European Union, and when will Members of the House be able to see that plan B and that assessment?
Nobody wants such a situation to arise—we want a deal to be struck—but even if the Government’s faith is rewarded and we do secure an adequacy decision, the UK faces another problem. As the GDPR evolves over time, as it surely will, the UK, to maintain its membership, will be required to amend its data protection law to keep in line with European law. The EU charter of fundamental rights and freedoms is now central to EU data protection law, and the charter is interpreted by the European Court of Justice, yet clause 6 of the European Union (Withdrawal) Bill quite clearly states that EU courts will cease to bind UK courts and tribunals following withdrawal. I suspect that if the UK does manage to secure an adequacy decision, to keep it, it will have to fall into line with the European Union Court of Justice.
As I said at the start, we welcome the Bill as a move to ensure that people have more control over their own data and to bring the legislation into line with the huge technological advances since the 1998 Act. We welcome the commitment to implementing the GDPR and to the UK remaining fully involved in protecting EU citizens’ data post-Brexit. We question, and we will continue to question, the Government on how they can take this forward when an adequacy decision is not guaranteed and while there are still unresolved issues about the Investigatory Powers Act, at the same time as they are seeking to remove the UK from the jurisdiction of the European Court of Justice.
Of course, it does not have to be this way. The best, easiest and most straightforward way to ensure that there are no disruptions to data flows between the UK and the EU after Brexit is for the United Kingdom to remain a full member of the single market. The agony and the fear for millions of businesses and individuals of being cut off from both Europe and America if we do not secure an adequacy decision could be avoided by our staying in the single market. Why put people and businesses through this?
After all, no one in any of the nations of the United Kingdom voted to leave the single market. In fact, two of the four nations of the United Kingdom voted to remain in the European Union. We are in this situation because of the Conservative party’s extreme interpretation of Brexit, and that is why we are now actually having to prepare ourselves for what, hitherto, was unimaginable—a no-deal Brexit, with the catastrophic consequences that it will inevitably have for our society and our economy.
I am pleased to follow the hon. Member for Stirling (Stephen Kerr) and will pick up on one or two of his points.
David Cameron has a great deal to answer for. To win support from his party’s right wing for his leadership bid in 2005, he promised during the leadership campaign to withdraw Conservative MEPs from the European People’s party, the main centre-right grouping in the European Parliament, and he delivered on that commitment after the European elections in 2009. By pushing his MEPs to the fringes in the European Parliament, he significantly reduced British influence there and more widely in the EU’s structures, which meant that Britain did not get its way in Europe on an increasing number of issues, by contrast with previous Governments, both Labour and Conservative. The referendum result—the decision to leave the EU—was the inevitable outcome of that spiral of loss of influence, kicked off by his commitment in 2005.
One way to look at the referendum is as a choice between sovereignty and prosperity. In the referendum, the country chose sovereignty, and of course that was a wholly honourable choice to make, but we need to be honest now about the resulting loss of prosperity. Leaving the EU, if it is seen through in the way envisaged now, will make us poorer. Ministers need to stop pretending otherwise, for their own sakes, as well as for the sake of the country, because once the reality becomes clear, the punishment inflicted on the Conservative party will be all the greater if people have not been told what is ahead.
An official in Germany put it to me like this a few months ago: “If you want the benefits of the single market, you have to obey the rules of the single market.” Ministers continue to tell us that we can have the benefits but no longer obey the rules, but that will not be the outcome of these negotiations. It could not possibly be because, if it was by some fluke the outcome, Germany and lots of other Parliaments in the EU would surely vote it down when asked to decide on the deal.
This week, we have at least had some recognition of that reality from the Prime Minister. She has announced that in the transition period from April 2019 we will continue to obey the rules. The writ of the European Court of Justice and the free movement of people will continue into the transition period. As far as I could understand it, the announcement in her statement on Monday seemed to be that we would stay in the single market and the customs union, other than in name. I presume that this is a face-saving device to avoid the embarrassment of a clear U-turn. It would be much better to be honest and commit to staying in the single market and the customs union during the transition period at least, as argued by my right hon. and learned Friend the Member for Holborn and St Pancras (Keir Starmer), the shadow Secretary of State for Exiting the European Union, and my right hon. Friend the Leader of the Opposition. The Prime Minister’s announcement does at least hold out the prospect of delaying the damage to our prosperity for a couple of years, but we need to recognise that that will not avoid the damage to our prosperity altogether.
The challenge is perfectly illustrated by the subject that we are debating this afternoon, and I welcome the fact that the Government have given us the opportunity to have this debate. Mr Speaker characterised my interest in a different area of policy earlier this week with the phrase, “some would say anorakish”. How much more that applies to the area of policy that we are debating this afternoon. The Minister was absolutely right in his opening remarks to underline just how important this policy area is for our prosperity. It underpins the wellbeing of the economy. Indeed, there is growing evidence that one of the reasons why we have failed on productivity growth in the UK in the past few years by contrast with other countries is that the internal management of companies in the UK has been digitised to a lesser extent than elsewhere. If we are to make progress on that—it is vital for our prosperity that we do—then data communications will be even more important in the future than they have been in the past.
I very much enjoyed and appreciated the contribution of the hon. Member for Bromley and Chislehurst (Robert Neill), who chairs the Select Committee on Justice. He underlined, quite apart from the economic considerations, how vital it is for our security and safety that we can continue to communicate personal data with other European Union countries.
The Minister was right to make the point at the outset that our data protection laws in the UK originated with an EU directive in which the UK was very influential. The Conservative Government who negotiated that directive had a powerful voice at that time. Sadly, as I explained earlier, more recent Conservative-led Governments have had a much less powerful voice.
I agree with the right hon. Gentleman that the British MEPs had a strong influence on the GDPR as it was developed in Europe. One of the reasons the GDPR is a good piece of legislation that we can happily bring into UK law is because of that influence. We had that influence after we had left the EPP, so perhaps he will withdraw his earlier comments. As for this argument about lack of influence, the chair of the justice committee in the European Parliament is a British Labour MEP, so is he saying that the lack of influence that he describes is because of the Labour party?
No, certainly not. I am delighted that my Labour colleagues in the European Parliament have retained their place in the Socialist group and therefore their influence. The problem for Britain has been that, by leaving the EPP, Conservative MEPs have had much less influence. I am not saying that they have not had any influence—that is not at all the point I am making—but they have had a great deal less. Therefore, the British Government have been much less able to get their way in Brussels than previous Conservative and Labour Governments, and that is what inexorably led to the referendum result.
The key foundation stone for data protection regulation in Britain has been article 8 of the European charter of fundamental rights, which states:
“Everyone has the right to the protection of personal data concerning him or her.”
The European Union (Withdrawal) Bill—the Minister and I had an exchange about this earlier in the debate—removes the charter of fundamental rights from UK law, so article 8 will no longer apply. The Select Committee on Exiting the European Union took evidence on that point from lawyers yesterday. Sir Stephen Laws, former first parliamentary counsel, argued that the removal of article 8 was a good thing because nobody can quite know exactly what it really means, so that we end up with judges deciding in appeal cases, which makes the law uncertain. He made a very reasonable case. Far better, he said, for Parliament to decide the detailed law and regulations, so that everyone knows where they stand.
However, Dr Charlotte O’Brien of York Law School pointed out that in practice, judges deciding points of data protection law in Britain often refer explicitly to article 8. A reading of their judgments suggests that article 8 frequently sways the decisions that they reach, so it is likely that its removal will mean that their future judgments will be different from those that they have made up until now. We can have an interesting debate about which arrangement is better, and, as I have said, I think that Sir Stephen Laws made a perfectly good case. Our problem, however, is that we have to achieve a declaration from the European Commission that UK data protection law is adequate. That is crucial for the future of our economy.
A point that I hope will reassure the right hon. Gentleman is that EU jurisprudence will be brought into UK law through the European Union (Withdrawal) Bill, although EU jurisdiction will no longer continue.
The proposal is that article 8 will not be there any more. The problem is this: where in the European acquis, which is being brought into UK law, is the clear statement that everyone has the right to have their personal data protected? It is not there, and if it is not there, it will be significantly harder for the European Union to recognise that UK data protection law is adequate.
This is an incredibly important point, so I am grateful to the right hon. Gentleman for allowing me to intervene. The right is there: it is in the GDPR, which will be brought into UK law through the Bill.
The problem is that it is not. There is no clear assertion anywhere in UK law—other than, at present, in article 8—that everyone has the right to have their personal data protected. As I have said, and as was said in the Select Committee yesterday, judges, when making judgments on these matters in appeal cases, often refer to the wording of that article to reach their conclusions.
There is a perfectly good case for arguing that it is better not to have these slightly vague declarations, because the law is clearer if it is all spelt out in legislation that has gone through Parliament, but our problem is that that is not how the matter is looked at in Brussels. Over the next year and a half or so, the Minister has to persuade people in Brussels that our data protection is adequate, and if we no longer have a clear statement in UK law that everyone’s personal data is protected, that task will be a good deal harder.
I agree with that sentiment. Dare I say it, but very few Government Members are present? Although my right hon. Friend the Member for East Ham said this may be an anorak issue, it is in fact crucial to our economy, our new civil liberties and the type of country we want to live in. We should be having such a debate, and I again restate our request that we should do so in this House not only on the Data Protection Bill, but on the GDPR statutory instrument.
I am looking forward to the Data Protection Bill and I am excited about the Committee stage, but I will take this opportunity to address some of the strategic issues that many Members have mentioned: first, the basis of data protection law in the European charter of fundamental rights, on which I will not revisit the arguments already made but will, I hope, add something interesting and new to the debate; secondly, the incoherence between the necessity to mirror EU law and the Government’s illogical policy approach on Brexit; and lastly, the rights and protections of children.
First, as we have heard in this debate, the Government have made it clear that the European charter of fundamental rights will be revoked under the European Union (Withdrawal) Bill. The Minister said that the GDPR in effect says the same thing, but article 8 of the charter, which underpins the GDPR, is referenced in article 45 of the GDPR. If the GDPR is referencing out to statutory, fundamental rights and we take that anchor away, we must replace it elsewhere. I will therefore support the amendment to the Bill proposed by my right hon. Friend the Member for East Ham, to ensure that that happens.
I am sorry to intervene, but I have already explained that because European jurisprudence is being brought into UK law, references to the charter in existing case law will be brought into UK law, which satisfies the hon. Gentleman’s demand.
With respect to the Minister, I am not persuaded that that will be agreed by the European Commission. Of course ECJ jurisprudence will be Supreme Court jurisprudence in this country and will be referenced by judges in that Court, but without a statutory anchor ensuring that the fundamental right is, in their view, in favour of the consumer and the data subject, we risk divergence on the application of the rules.
I want to mention the right of collective address. Under the GDPR, bodies can campaign and bring actions against data controllers in the interests of consumers and data subjects as a whole. This works very well in other areas of the law in this country, such as the Consumer Rights Act 2015. Under that Act, Which?, as a private enforcer against unfair terms, can act on behalf of consumers. For some reason, the Government have decided not to adopt such an approach in the Data Protection Bill. I look to the Minister in his closing remarks to explain why he does not think organisations should be able to bring actions for collective redress on behalf of data subjects. Many data subjects may not be able to enforce their own rights as individuals but rely on such organisations to act in their interests.
On fundamental rights more broadly, I am still confused. I hope that the Minister will provide clarification in this final debate of the week by showing how, although we must maintain fundamental rights, we are also removing them. It is much like being in the single market and leaving it, much like being in Europe but not being in Europe, and much like protecting fundamental rights and not protecting them. What is the answer? The Data Protection Bill seeks to ensure transparency and accountability, and in the light of that theme, I hope the Minister will respond on fundamental rights.
Secondly, if we are successful in seeking an adequacy agreement, it is then for us to maintain equivalence as part of that developing area of EU law, as other Members have said. That will require the UK to adopt the decisions of the newly created European Data Protection Board, which is subject to the jurisprudence of the European Court of Justice. Yet the Government insist that we can be both in and out, which is ludicrous, as I have said. They also say that we can be in it without being subject to the rules, but we know that that is a fallacy. Will the Minister confirm whether the Government’s policy is to get an adequacy agreement either this year or next year, only for it to be revoked in a few years’ time because we do not want to be subject to the jurisdiction of the ECJ? We must be subject to its jurisdiction if we are to maintain adequacy, but we will be forever on the cliff edge of being concerned that adequacy will be removed—as it was from the United States of America by the European Commission—and that is the risk our businesses, our consumers, our charities and others fear.
Lastly, I wish to address the rights and protections of children. I will return to this topic in detail on Second Reading. It is a great disappointment that the European Union has backtracked and pulled back slightly on this issue, so that instead of having a harmonised rule saying that children deserve extra protections—especially in the context of understanding how their use of online products and services means giving over personal data, how that personal data is profiled and how advertising is targeted on children—the European Union decided to provide member states with a range of ages to choose from, from 13 to 16.
As my hon. Friend the Member for Cardiff West (Kevin Brennan) said, the UK opted for the age of 13 as the minimum GDPR requirement. I think that is the wrong decision and, according to polls by YouGov, 80% of parents agree with me. However, I encourage us to be intelligent about the way we regulate to support children. It is obvious that if we put in these frameworks children may find ways to use the systems anyway. No doubt there are a number of children under the age of 12 and 13 using social media sites today. We must make sure that the regulation is—dare I say?—with the kids. It needs to make sense and it needs to work properly. I look forward to having that debate and no doubt a shared aim.
As we prepare for the arrival of the Data Protection Bill, this is the first glimpse of a major piece of proposed legislation that highlights the enormous challenges with implementing Brexit. It is not just an issue of primary law for many of the issues we have talked about today; it is about clear rules and about compliance by those subjected to it. On clear rules, I refer to comments made by the Baroness Lane-Fox on Second Reading in the other place, when she pulled out a particularly entertaining section the Data Protection Bill, which reads:
“Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR… In this Chapter, ‘the applied Chapter 2’ means Chapter 2 of this Part as applied by this Chapter”.
Other than that sounding like something out of the “Yes Minister” comedy series, it says to me, as a former lawyer, expense. People will be concerned—quite frankly, charities and other groups will be terrified—about getting this wrong. They will have to endure huge compliance costs in trying to implement what should be clear rules into their business.
Following on from what the hon. Member for Chelmsford (Vicky Ford) said—she is not in her place—on compliance and guidance from the ICO, I stress this point with the Minister: many businesses want to do the right thing. They wait on guidance from the ICO and others to tell them what the law means and how they will seek to enforce that law. However, much guidance has either been delayed or is not yet with us. The guidance that has been provided is not, in many cases, sufficiently clear either. We must support the ICO properly to ensure it can provide that service, and we must make sure that people know how to comply with the law.
The UK is, as we have heard, one of the world’s leading digital economies. Bristol is one of the largest digital economies outside of London, and we lead the way on these issues in the world. We have the opportunity to set the tone in becoming a global hub for the world’s digital economy based not only on trust, accountability and security, but on business innovation and leadership. I look forward to helping the Government in this House to get that right.
With the leave of the House, Madam Deputy Speaker, I shall reply for the Government to this excellent debate. I shall try to answer the points made, unconventional as that might seem.
The subject of the debate could not be more important. The digital revolution is one of the biggest things happening to this country and the world. Indeed, I think the digital revolution as a whole is bigger than Brexit. The right hon. Member for East Ham (Stephen Timms) thought this would be an anorak-like debate, but hoped it would not. Well, I think we could liken the debate to an anorak because in some circumstances anoraks are incredibly important. The debate may have been detailed and technical in parts, but it is vital to get these things right for our country’s future.
As others have said, what a pleasure it was to hear the fine maiden speech by the hon. Member for Warwick and Leamington (Matt Western). He even introduced a word that I had never heard—camoufleurs. What a description! He spoke well of his new constituency, especially the design industry, and the gaming industry that is so important there. He spoke of history and the future. As the Minister for the gaming industry and for VR and AR, I am thrilled to hear that he will continue to champion them; I look forward to engaging with him often.
I was delighted to hear that Leamington is the happiest place to live. Funnily enough, I thought that was Suffolk. I give the hon. Gentleman a gentle warning about hostages to fortune: he very gently and elegantly took the credit for Leamington’s being the happiest place in the country, so now we all know where to look if it all goes wrong.
I almost called the Labour Front-Bench spokesman, the hon. Member for Cardiff West (Kevin Brennan), my hon. Friend because we have spent so much time together in Committee in the past. I look forward to doing so again in future. I was surprised to learn two new things about him. I am astonished that he has university-age children; he looks as though he has barely left university himself. And he says he is delighted that the former Member for Warwick and Leamington, Chris White, is no longer in the House because he is a double. He can imagine how I felt when Mike Hancock was defeated!
The hon. Member for Cardiff West asked some serious and important questions. First, he raised the question of parental consent at the age of 13. There is flexibility in the GDPR legislation to set the age of parental consent at any age between 13 and 16. In the UK that age is effectively 12 at the moment—although it is not set in the same way—which means that we are raising the age. We of course recognise the fundamental role that the internet plays in the lives of teenagers, and we agree that it is vital to educate children, not only on the positives of the internet—coding has been in the curriculum for three or four years—but on the risks. The internet safety strategy published yesterday stated that we will do more to educate children about safety, but online platforms also give children educational and social resource, and the rules need to be realistic if they are to work. We do not want to introduce an unworkable rule.
This is a balanced judgment, but I believe we were right when we chose the age of 13. It was suggested that we did so because the Irish Government decided on 13, but the point about GDPR is that what matters is whose data it is, so it is not a question of the dataset in which the data is stored; it is a question of how old the child is.
The hon. Member for Cardiff West, and several other hon. Members, asked about the adequacy of our national security legislation. We are already compliant with EU law on data protection, with the Intellectual Property (Unjustified Threats) Act 2017, and we will be after exit. We are confident that that legislation should not present a significant obstacle to negotiations, not least because we have one of the most robust oversight frameworks in the world, and we brought in judicial oversight as part of the move from the Data Retention and Investigatory Powers Act 2014 to the Investigatory Powers Act 2016.
We heard an excellent speech from my hon. Friend the Member for Bromley and Chislehurst (Robert Neill), who argued that how data rules relate to finance is a huge issue to be tackled. He is absolutely right, and we do have regular discussions with the financial sector. None of us should forget his point that it is in the interests of both the UK and the EU to get things right. We will help to ensure that Gibraltar has market access to the UK, which my hon. Friend cares about. That may require a degree of regulatory equivalence, and he knows that those discussions are ongoing. Our intention to maintain the data relationship for law enforcement purposes is clear, which is why we are putting the law enforcement directive into UK law as part of the Data Protection Bill. We want to continue to have a strong partnership with the EU. There is no legal barrier to the EU establishing an international agreement giving third countries access to SIS II and the European Criminal Records Information System. We are exploring a full range of options, but much of the detail will obviously be down to the negotiations.
I am delighted that the Scottish National Party supports our approach, and I am grateful for the support of both the Scottish Government and the SNP Members here. When the hon. Member for Argyll and Bute (Brendan O’Hara) said that what I had said previously was absolutely right, I started to worry a little—we do not usually hear that, from the SNP Benches—but he then asked specifically about a no-deal scenario. In the annex to the paper we published in the summer, we outlined other ways to ensure the flow of data, and we do consider all options. There are alternative means of legal transfer of data, but we fully expect a good deal. The hon. Member for Strangford (Jim Shannon) made the same point, but he stressed that this is about not just the future EU-UK relationship, but the UK’s relationships all around the world and our ability to get strong trading relationships underpinned by data that is protected with good cyber-security.
My hon. Friend the Member for Stirling (Stephen Kerr) argued powerfully that data protection must be based on trust—my hon. Friend the Member for Chelmsford (Vicky Ford) made a similar point—and mentioned the advantage of future flexibility in a position in which Britain can lead across the world. He mentioned our history on that topic and the computer Manchester 1, which my mother worked on, and Stirling’s growing digital economy. He asked us to raise our eyes to the horizon and ensure that we get this right across the world.
Like the hon. Member for Cambridge (Daniel Zeichner), my hon. Friend the Member for Stirling asked about the EU-US privacy shield and post-Brexit data flows. We of course want to maintain the current protections for UK citizens under the privacy shield after exit. We want to ensure that data flows between the UK and third countries with EU adequacy decisions, like the US, can continue on the same basis. That is part and parcel of what we are trying to achieve.
The hon. Member for Cambridge also asked about dialogue with the EU on the future partnerships paper, and that is ongoing. For example, the Secretary of State for Justice is at the Justice and Home Affairs Council this week and will be speaking about that paper, setting out in particular the argument that we are approaching Brexit from a point of harmonisation. Keeping the Data Protection Bill harmonised with the GDPR will be critical as we take the Bill through both Houses, and I am glad for the Opposition’s support in maintaining that position.
The right hon. Member for East Ham made a characteristically excellent speech. I hope he is not on the Bill Committee, and I mean that as a compliment. However, he was wrong about the loss of influence, and my hon. Friend the Member for Chelmsford, who was in the European Parliament at the time, pointed out just how influential both Labour and Conservative British MEPs were in ensuring that we got a good piece of GDPR legislation.
I want to make it absolutely clear that our goal is an agreement that builds on the existing model of adequacy. We are seeking an arrangement at least as strong as adequacy—stronger, in fact. There was a bit of debate about whether how I put things in my opening speech implied that we were moving off adequacy. We are not. I say again that we are seeking an arrangement at least as strong as adequacy—stronger, in fact—as part of the negotiation.
Does the Minister recognise that the absence of article 8 will make his goal harder to achieve? He said that we can look elsewhere in the body of European law, and it is all terribly vague and badly defined. The problem is that that will not convince the Commission—and it is the Commission that he has to convince about adequacy.
I think the right hon. Gentleman is wrong on this point, which no doubt we will debate during the passage of the Bill. We know of no other jurisdiction with an adequacy deal that has been required to put the charter into law. Such a requirement has not been imposed anywhere else, so there is no reason for it in this case. The charter is a summary of laws present elsewhere and we are bringing the jurisprudence into UK law. Our goals are the same; in a sense, the question is a legal one. The fact that such a requirement has not existed in any other adequacy arrangements implies that the issue should not be problem for us, not least because of our strong legal basis for bringing GDPR into UK law.
On mail and direct marketing by post, I should like to correct the right hon. Gentleman slightly. Data controllers will need a legal basis for this under GDPR, but article 6 sets out a number of potential legal bases, not only consent. That does not change the reality on the ground from the current data protection arrangements. I hope that I have provided adequate reassurance.
The right hon. Gentleman and the hon. Member for Leeds North West (Alex Sobel) raised article 8, as did others. I am clear about the strength of the assurance that I have given and I hope that Opposition Members accept it. When private businesses consider their future arrangements, I hope that Members on both sides will make clear our determination to get a deal that is as good as adequacy, if not better. We want people to continue to do business and thrive here in the UK.
My hon. Friend the Member for Chelmsford, whom I have mentioned a couple of times, made a powerful and informed speech. Of course we think that the passenger data transfer is important; the referendum does not change how important it is. The EU already has third country arrangements in place with others, so we see no reason why the issue cannot be fixed. I am also sure that Chelmsford is a happy place to live; I wonder whether that is down to my hon. Friend or her ebullient predecessor.
I also agree with my hon. Friend that we must be vigilant and not gold-plate the Data Protection Bill through Information Commissioner’s Office guidance. No doubt we will discuss that during the passage of the Bill. I have regular conversations with the ICO about exactly that issue. We want guidance to come out early. In some cases, the ICO is having to wait for guidance from the Commission and that causes the delay—it is not the fault of the Information Commissioner. But we do want guidance to be in clear, simple language, not gold-plated, and to come out as early as is reasonably practicable. I thank the Information Commissioner and all her team for her excellent work.
The Minister says that the guidance should come out early, but it is already too late in respect of direct applicability of the general data protection regulation for many businesses, which may need to carry out major systems changes if guidance says something that they are not expecting based on interpretation of the article. Will he say to the ICO that, where guidance is late and that makes it harder for organisations to make those changes, there will be some leeway when it comes to enforcement?
The hon. Gentleman speaks like a true lawyer. The hon. Member for Cardiff West said that the hon. Gentleman had been outed as a lawyer during this debate—my goodness, he outs himself as a lawyer from the first moment he strikes his posture in this Chamber. He is obviously a lawyer and that latest point only proves it further. The ICO has already said that, and it is well worth reading the Information Commissioner’s Cambridge speech from a couple of months ago, which set out that reassurance. The hon. Gentleman asked about timing and complained about there not being an agreement already. We want to get on and discuss the future relationship, and the Government have made that clear; it is the European side that is blocking progressing on to the future relationship. I hope that we can get on and discuss it forthwith.
As I have said, we have been in Brussels and heard time and again from different sides that it is up to the UK Government to break that deadlock. There are two issues where they are free to break it; this is particularly the case on the money issue, but Government Members do not want to face that, because even a penny to pay in compensation or in the divorce bill will not be good enough. That is why we are in deadlock and we cannot move on.
The hon. Lady is wrong about that. She is also wrong to have said that there is no certainty about the future UK data protection arrangements, because there is and we are putting it into law: it will be the GDPR, plus the Data Protection Bill, which is before the other House. Although she was completely wrong, I am grateful for her intervention.
This has been a very productive debate and I am grateful for the largely very well-informed and detailed discussion, all of which has been good natured. I look forward to continuing this over the months ahead. There is a shared mission in this House to have a high-quality data agreement with the European Union to make sure we have high-quality data protection and the free flow of data. I hope I have given assurances about the actions we are taking to deliver that and to support the digital economy, through Brexit and beyond.
Question put and agreed to.
Resolved,
That this House has considered Exiting the European Union and Data Protection.