Draft Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019 Debate
Full Debate: Read Full DebatePhilippa Whitford
Main Page: Philippa Whitford (Scottish National Party - Central Ayrshire)Department Debates - View all Philippa Whitford's debates with the Department for Digital, Culture, Media & Sport
(5 years, 10 months ago)
General CommitteesIt is a pleasure to serve under your chairmanship, Mr Evans. Obviously, we are rushing through hundreds of statutory instruments because of the threat of no deal and of exiting the EU in a rush in just over 40 days. Data flow is absolutely critical, not just for tech companies, but for how the public sector—or indeed, everything—functions. Getting it right is therefore critical.
I recognise that this has to be done, although it is disappointing that it is being done in a rush, because the public’s concern is about the flow of their personal data and whether it is maintained in a private fashion and protected. An issue that has been raised with me by EU citizens who have looked at applying for settled status is that in the small print at the end, it says that their data may be shared with public or private organisations in the UK or outside. It does not state who on this planet their data cannot be shared with—that might actually be a shorter list. That raises real concern because it is important data to do with their identity, background and HMRC records. It is important that people’s data is protected.
I recognise that the SI corrects paragraphs 76 and 201 of schedule 19 to the Data Protection Act 2018, but the key, as the Minister highlighted, is international transfer. The European Commission has carried out adequacy assessments on third countries, maintained ongoing monitoring and issued standard contractual clauses where protections are not sufficient. It has also monitored and supported that process on an ongoing basis. The Minister’s reference to Japan’s agreement, which was made after this draft instrument was laid, raises one of the key questions going forward: how will this be kept up to date as things change with the EU? We are talking about a massive recreation and duplication of that effort. Huge multinational companies transfer our data elsewhere in the world, and binding corporate rules and whether that data remains protected is another issue that concerns people.
All that will be put on the shoulders of the Secretary of State and the Information Commissioner. I echo the shadow Minister in querying the cost of this and how that cost will be covered, whether from businesses or from taxpayers. The explanatory memorandum mentions that the Government are looking to maintain data flows from the UK to the EU, but nothing in the draft instrument can compel data flows from the EU to the UK. Data flows are a two-way transfer. The loss of the commissioner’s position on the EDPB is significant.
Whether statutory instruments deal with drugs, blood products or medical devices, the sharing of information in both directions has been for the benefit of all our constituents. How will the new regime work going forward? How it will be funded? How will we ensure that we do not end up with gaps in data that expose us to dangers in the future?
I thank hon. Members for their questions and comments. I will do my best to respond to them. I agree with the shadow Minister that the draft regulations are a wise precaution. He rightly mentioned that three quarters of our country’s international data flows are with other European Union member states. That is of course even more than the average for exports of other things, notably manufactured goods, which are almost 50% of our global trade.
I do not know whether the shadow Minister is concerned that, by locking into the GDPR, we will jeopardise our ability to strike trade deals with other countries. In previous debates, I have assured him that it is the Government’s intention that we continue to enjoy the benefits of the privacy and data rights that the GDPR has given British nationals, and we would not want to see those rights compromised by any trade deal in the future. The GDPR is becoming a gold standard for privacy and data rights globally—it is causing rising envy, certainly in the US.
The shadow Minister mentioned the age of consent, which is set at 13 in the Data Protection Act. That relates to the rights of young people to open accounts online. We have not reduced that age; we have set it. We set it within the band that the GDPR permits member states to set it. We were not alone in choosing 13; at least five other member states also set the age of digital consent at 13. He raised concerns, which I share, about some of the risks to young people online. We intend to address those through the White Paper we will publish shortly. I thank him and his team for the suggestions they have made to us over the past six months about what that White Paper should contain.
The shadow Minister asked about adequacy. He knows that we cannot guarantee adequacy, because it is in the EU’s gift rather than ours, but we have made it clear to the EU that we are ready to commence adequacy discussions just as soon as it is ready. We have had an indication from the Commission that, as long as we leave with a deal, it will be ready to start those discussions immediately. Given that we will be fully compliant at the moment of departure, it is highly likely that we will be able to conclude those discussions at the shorter end of the spectrum of times that adequacy discussions with third countries have taken in the past.
The shadow Minister asked about the contingencies we are making in the event of no deal. The ICO and officials in my Department have been working closely together, and the ICO has published approaches for both the public sector and industry in terms of the reach of the standard contractual clauses that will form a legal basis for transferring data in the event that we do not have an adequacy decision. Of course, if we left without a deal, we would not have an adequacy decision.
The hon. Member for Central Ayrshire asked whether EU citizens in her constituency and elsewhere in Scotland will continue to enjoy the same data rights and privacy. I can assure her that they will. They will have those rights as long as we leave with a deal. EU citizens’ rights are enshrined in the deal, and they will enjoy exactly the same provisions as citizens of this country, assuming we get that deal and implement these regulations. The regulations will preserve the GDPR’s extraterritorial approach in UK law.
Will the Minister therefore clarify—I understand that she might not be able to do so at this moment—why there is no reference to GDPR protection in the small print of the settled status scheme, other than a bald statement that people’s data can be shared pretty much with anybody?