Read Bill Ministerial Extracts
Data Protection Bill [Lords] Debate
Full Debate: Read Full DebateStephen Timms
Main Page: Stephen Timms (Labour - East Ham)Department Debates - View all Stephen Timms's debates with the Department for Digital, Culture, Media & Sport
(6 years, 8 months ago)
Commons ChamberI wholeheartedly agree with my hon. Friend about not limiting the rights of the free press. He might be aware of amendments that were made in the other place on exactly that issue and that are supported by a number of Members of this House, including, notably, some who are also supported by Max Mosley. I think that we should remove those two provisions. The ability of our press properly to scrutinise is important and should not be undermined in the ways proposed, but I will come to that in more detail later.
The right to be forgotten is an important element of making sure that data is held appropriately and when there are legitimate grounds. The Bill also allows for data portability—a person’s right to transfer their data from one provider to another.
As the Secretary of State is describing, the Bill puts into UK law the EU’s general data protection regulation, which is the right thing to do. I am confident that he would agree that we need to ensure that our data protection rules stay in line with the EU regulation as things develop. Does it trouble him that we will have less influence over the future content of the EU’s rules once we have left it?
I agree that this is a strong set of data protection standards. We intend to stay aligned with the EU standards, not least because they are extraterritorial, which means that anyone wanting to do any business or transactions with EU citizens would have to follow them anyway. There is therefore a very strong case for alignment in this area. Indeed, we have set out that we want the Information Commissioner to remain engaged with the future development of technical standards because we expect the GDPR effectively to become a standard that is increasingly followed around the world by companies that want to engage with the EU, and because we believe that high data protection standards go hand in hand with the capability to innovate and provide for customers. The Prime Minister was, of course, clear about the detail on Friday.
Like my hon. Friend the Member for Cambridge (Daniel Zeichner), who gave an excellent speech a few minutes ago, I will focus my remarks on the data protection aspects of the Bill. The Minister will have seen the press report this morning on research carried out by the Federation of Small Businesses showing that fewer than one in 10 small businesses is fully prepared for the obligations that this legislation imposes on them, and just under one in five has not yet heard of the GDPR. These obligations all take effect at the end of May—in less than three months’ time—so whatever the merits of this Bill, there is clearly a huge amount of work to be done in drawing the attention of those affected to what it means.
Ministers have made some changes to the Bill during its passage through the other place since we last discussed it in this Chamber on 12 October. In that debate, I and others made the point that my hon. Friend the Member for West Bromwich East (Tom Watson) made earlier—that leaving article 8 of the European charter of fundamental rights outside UK law poses a serious threat to our achieving a data adequacy determination from the European Commission in future. I therefore welcome the addition of what is now clause 2, which partly addresses that. However, I do not think it goes far enough, so I will be supporting my hon. Friend’s proposal that article 8 should be added to our statute book. Lord Stevenson tabled an amendment in the other place that said:
“The protection of personal data may not be lawfully restricted or limited unless such restrictions and limitations are consistent with the principle of proportionality.”
That is an important additional protection that ought to be in the Bill. I hope that we will be able to debate that amendment in Committee.
There is some confusion in the Government about all this. The Secretary of State set out how important it is that we keep our UK data regulation aligned with the regulation in the European Union because of the importance to the UK economy of personal data transfers between the UK and the EU. He is absolutely right about that. However, in recent months, the Foreign Secretary and the International Trade Secretary have suggested from time to time that it would be a good thing if the UK could deviate from EU rules on data protection. Last July, for example, the International Trade Secretary said in the United States—I am quoting from a report in the Financial Times—that the UK was more in line with US calls for information to be allowed to flow freely across borders while Germany and other EU countries insist on localisation. He was getting a bit confused about two different things, but he is clearly suggesting in that remark, as in others, that it could be a good thing for the UK to deviate from EU data protection rules. In fact—the Secretary of State is absolutely right about this—it would be a disaster for the UK to deviate from EU data protection regulation, because if the EU were to judge our data protection rules to be inadequate, a large chunk of the UK economy would immediately be without any lawful basis. That could affect exactly the kind of innovative company to which my hon. Friend the Member for Cambridge drew attention—a games company with players all over Europe who, as a part of playing the game, need to be able to send personal data between their country and the European Union.
The right hon. Gentleman has made this point in these debates several times, and I want to reassure him on the Government’s precise position. I stated this in my remarks, not speaking from notes, but let me read to him what the Prime Minister said in her speech on Friday:
“we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.”
So there you have it.
I am grateful to the Secretary of State, and I welcome that commitment on the part of the Prime Minister.
The problem is, however, that the International Trade Secretary and the Foreign Secretary have been saying different. That led to techUK, the industry body, writing to the International Trade Secretary last month to highlight the dangers. This was reported by that reliable publication, The Daily Telegraph, on 19 February, with the headline: “Tech industry warns Ministers not to drop EU security laws”. The report began:
“The British tech industry has issued a stark warning to leading Brexiteer ministers that diverging from EU data protection standards after Brexit will ‘undermine’ the UK’s status as Europe’s leading tech hub.”
The Secretary of State is absolutely right not to have gone down the same road as his right hon. Friends, and I very much welcome what the Prime Minister said about all this on Friday. However, there is clearly a problem in the Cabinet. I gather that after sending that letter, techUK received a reassuring response from the Department, and then a few days later a non-executive director at the Department for International Trade was quoted as saying, “Complying with EU standards on data is not the only solution.” But the truth is that for a large part of the UK economy, it is the only solution. We need to be absolutely clear about this. I am delighted that the Secretary of State is clear about it. Of course, that is why he is bringing this Bill before us and why he has altered it in line with what a number of us said in October.
I hate to take the wind out of the right hon. Gentleman’s sails, but it was unusual to receive that letter from techUK, because rarely as a Minister have I been lobbied so strongly in support of my own position.
I am glad that the Secretary of State has been lobbied in support of his own position, but he needs to watch his back against Ministers who lack the clarity that he has expressed—particularly the International Trade Secretary and the Foreign Secretary, who continue to say that there is merit in divergence. There is no merit in divergence at all. Significant numbers of tech start-ups are already going to Berlin rather than basing themselves in the UK because of the uncertainty about this issue. The more uncertainty there is, fanned by some members of the Cabinet, the greater the economic damage to the UK.
This is a very clear example of the situation we are going to find ourselves in more and more when we have left the European Union. It will be asserted that because of our economic interests, in this case, we should comply with rules drawn up by the European Union—in this case, the general data protection regulation—but we will no longer have a vote about what those rules should be. We will become a rule-taker. I welcome the commitment that the Prime Minister has made to a place for the UK’s Information Commissioner on the European data protection board. That will be helpful. It means that we will at least get a voice in these discussions when the rules are being drawn up—but we will not get a vote. We will be less influential in EU data protection laws than we have been as members of the European Union. We need to recognise that our influence, including over laws that we are going to have to implement ourselves, will be less in future than it has been up to now.
I would very much welcome the Minister telling us—my hon. Friend the Member for Cambridge made this point as well—how, in future, we are going to make adequacy determinations about other countries’ data protection laws. Are we going to adopt the EU list and say that those 12 countries are adequate and others are not, or are we going to have our own processes? How is it going to be done?
I echo the concerns expressed by a number of Members about the threats to our future data adequacy determination that come from the immigration exemption and the national security exemption. Those were not well defended by Ministers in the debates in the other place, and the justification for them is not clear. As others have said, they leave us open to criticisms of our data protection regulations that could threaten our future adequacy determinations. I am very keen to hear the Minister’s response to those concerns in particular.
May I take it from what my right hon. Friend says that the official Opposition’s position is that we will support the retention of the amendments agreed in the other place?
My right hon. Friend is absolutely right. We will support the retention of those amendments, and we will seek to offer a much more wide-ranging, comprehensive approach, which we think the Government should take. We will offer a much more comprehensive, well-rounded and thought-through system of rights for the digital age. We will offer an effective means of safeguarding those rights through the introduction of new forms of collective redress. We will offer new safeguards that help to protect our democracy and that ensure free and fair elections and press justice.
We will also seek to prompt the Government to confirm precisely when they will modernise the e-commerce directive, because many of the threats to freedom in the digital age will come from the fearsome five data giants of this age, which will need regulating in new ways. I think there is some cross-party consensus about the need for the e-commerce directive to be modernised, so we will table amendments that will encourage the Government to get their skates on. Crucially, however, we will table amendments that put beyond doubt the future of any adequacy agreement with the European Union.
As the economy changes, so must the law. There will be many more data and privacy laws to come in the years ahead. We will encourage the Government to put in statute a framework that is not merely fit for today, but fit for the future.