Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020
(3 years, 5 months ago)
Grand CommitteeRead Hansard Text Read Debate Ministerial Extracts
Baroness Barran
That the Grand Committee do consider the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.
Relevant document: 32nd Report from the Secondary Legislation Scrutiny Committee
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Baroness Barran) (Con)
My Lords, I am pleased to introduce a statutory instrument laid before the House on 14 October. Neither the Joint Committee on Statutory Instruments nor the Secondary Legislation Scrutiny Committee has drawn the House’s attention to this instrument.
When the transition period comes to an end, the EU’s regulation on data protection, known as the GDPR, will be retained in domestic law through the European Union (Withdrawal) Act 2018. Last year, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made. I will refer to those regulations as the main regulations. They were made to make minor and technical changes to the retained GDPR and the Data Protection Act 2018 to ensure that UK data protection law continued to be operable on exit day.
The instrument before noble Lords seeks to make some limited amendments to the main regulations, most of which address the fact that there has been a transition period. The majority of the changes are to references to “exit day” in the main regulations, which will be updated to read “IP completion day”. A small number of other changes relate to the transitional provisions for international transfers of personal data.
Binding corporate rules approved by EU data protection regulators enable multinational companies to transfer personal data within their group globally. The main regulations preserve pre-GDPR binding corporate rules that had previously been authorised by the Information Commissioner as a valid transfer mechanism after the transition period. However, a subset of pre-GDPR binding corporate rules currently relied on by organisations with data flows in the UK may have received authorisation from only EU supervisory authorities. This instrument makes provisions that will allow UK-based group members to use such rules as a valid transfer mechanism, if they obtain approval from the Information Commissioner within six months from the end of the transition period.
UK organisations can currently freely transfer personal data to EU and EEA states, and non-EEA countries for which the EU Commission has made adequacy decisions. The main regulations continue this position on a transitional basis and list the relevant adequacy decisions for clarity. This instrument updates the list to reflect developments since the main regulations were made by adding the 2019 adequacy decision for Japan and removing the reference to the EU’s adequacy decision for the US privacy shield. These amendments are not substantive and are entirely in keeping with the original intention of the main regulations, namely the continued free flow of personal data between the UK and third countries that have already been found to meet the requisite standards for data protection.
The main regulations also provided a legal basis for the continued free flow of personal data from the UK to the EU falling within scope of the law enforcement directive, otherwise known as the LED. The approach adopted in the main regulations was to transitionally deem EU member states and Gibraltar as adequate.
Since the main regulations were made, the Home Office has established that the EEA states, Norway, Iceland and Liechtenstein, and Switzerland, have also transposed the LED into their domestic law, which enables data sharing between authorities in the UK and law enforcement agencies within these countries for law enforcement purposes. To enable law enforcement co-operation and data sharing between the UK and EEA states and Switzerland to continue as it does now following the end of the transition period, this instrument adds them to the list of countries that will be treated as adequate, on a transitional basis, under Part 3 of the Data Protection Act 2018. This will be the most efficient way to ensure the flow of personal data, which is fundamental for law enforcement co-operation.
In 2019, an additional statutory instrument was made to amend the main regulations to reflect the arrangements made for personal data transferred from the UK to privacy shield companies in the US. As this adequacy decision has now been invalidated by the CJEU, the amending regulation no longer has any practical effect. Therefore, Regulation 7 revokes that amending regulation before it comes into force.
I have set out why our approach is an appropriate way to address deficiencies in our data protection regime resulting from the UK leaving the EU at the end of the transition period. This instrument will also revoke some EU legislation that would have no practical effect if it were to be retained under the European Union (Withdrawal) Act 2018 at the end of the transition period, such as Council decision 2004/644/EC, which adopts implementing rules of the European Parliament and European Council on the protection of individuals with regard to the processing of personal data by the community institutions and bodies and on the free movement of such data. This retained version of this decision will have no practical effect, so we are revoking it to keep the UK statute book tidy. I beg to move.
Lord McNally (LD) [V]
My Lords, the late Lord Jenkins—Roy Jenkins—once said that joining the EU was like climbing aboard a moving train. Clearly, getting off a moving train is even more perilous. I thank the noble Baroness, Lady Barran, for introducing this SI. I do not want to worry her, but I note that those who follow us may be small in number but strong in expertise.
My interest in this matter goes back to the coalition Government in which I served, along with the noble Lord, Lord Vaizey. Data protection then rested with the Ministry of Justice and I was involved in the early stages of the negotiations of what eventually became the GDPR. I will make two points about that experience. First, I saw first-hand as a Minister the respect for the expertise of our civil servants, who had a profound impact on the shape of EU legislation—influence which is now lost by our departure from the EU. Likewise, I was able to engage the help of British parliamentarians in the European Parliament to ensure that the outcomes reflected our needs. The EU is already planning a review of the GDPR. It would be interesting to know what machinery the Government intend to employ to replace the seat at the table and voice in the Parliament that were lost at Brexit.
My second interest comes from my ongoing membership of the EU Services Sub-Committee, on which I serve with the noble Baroness, Lady Neville-Rolfe, who will speak later. Over the last year we have received evidence from a range of sectors, from financial services to intellectual property, from creative industries to research and higher education. All have expressed concern about the lack of certainty about data transfers post 31 December.
In our committee, we have become used to “It’ll be all right on the night” answers from Ministers giving evidence to us. My concerns were not assuaged by the Secondary Legislation Scrutiny Committee report, which said that
“DCMS told us that the Commission was currently assessing the UK for adequacy under both the General Data Protection Regulation and the LED”—
the law enforcement directive. Would failure to obtain adequacy arrangements with the EU have a knock-on effect with other third countries and on how third-country agreements interact with each other?
These are matters that will impact data flow in every area, from clinical trials to law enforcement. Is the DCMS giving the sectors any advice about contingency plans if data adequacy does not prove to be the shoo-in that the Government initially implied? We could well end up with a kind of smorgasbord of overlapping and interlocking agreements, to be interpreted from one FTA to another.
My final reason for intervening today was witnessing the look of incredulity on the face of the former Home Secretary and Prime Minister, the right honourable Theresa May MP, as she sat listening to Mr Michael Gove giving assurances on where we are on law enforcement and national security matters. I am sure my noble friend Lord Wallace of Saltaire will cover these matters in more detail, but until I hear that Mrs May is satisfied with the arrangements made I will continue to remain concerned. It will be interesting to know if the Minister shares Mrs May’s concerns.
We have come to talk about data as the new oil. How we protect it, use it and exchange it will have a great impact on our future prosperity, our national security and our personal freedoms. It is incumbent on the Government to put arrangements in place that are at least as secure and beneficial as we enjoyed within the EU. This SI is only part of a Rubik’s cube of measures needed to carry out those objectives, and I am not convinced that the Government are anywhere near solving it.
Lord Vaizey of Didcot (Con)
It is a thrill to be speaking here this evening. This is my first speech in Grand Committee; I feel as if the set has been designed by Stanley Kubrick, but I will try to give my comments as reasonably as I can. I feel as if I am giving my second maiden speech, so I hope that all subsequent speakers will lavish me and my speech with extraordinary praise.
I begin by saying how enjoyable it is to follow the noble Lord, Lord McNally, who may or may not still be watching the proceedings. He and I indeed worked closely together in the coalition Government on data protection, and in fact it was he who first turned me on to the subject. One of my last acts as a Minister was to grab it and take it over to DCMS to try to realise my vision of DCMS becoming the leading department on digital.
As may have been gathered, data is an extraordinarily dull subject, particularly when it comes to regulations and legislation, but it is true, as the noble Lord, Lord McNally, said, that it is often called the new oil. The reason is that data flows ever more generously around our world; in fact, I am told that the size of the digital universe is now 44 zettabytes, which is 44 times bigger than our physical universe. There are 500 million tweets a day—mostly from President Trump; 294 billion emails a day; 5 billion searches; and 65 billion WhatsApp messages—mostly, no doubt, from Dominic Cummings. It is therefore quite clear that data dominates everything, and there need to be clear rules on how it is used and how it is harmonised across jurisdictions. Data is the new trade route. In fact, the UK, as in so many areas in technology, leads the EU; about 4% of our gross domestic product is now dependent on data companies and industries.
The noble Lord, Lord McNally, rightly spent some time talking about the GDPR. The GDPR is of course a bureaucratic and onerous regulation, but the new version of it came into being just at the time when the “techlash” was gathering momentum, when concern about one’s data, the way that it was used and the privacy surrounding it was very much at the forefront, and the GDPR is now seen as a bit of a gold standard. In any event, one of its unassailable merits is that it is now valid across 27 different jurisdictions in the EU, which means that any company using data within the EU knows that it can transfer across different countries. It has been copied in other states, even in countries such as South Korea, which is seen as a technology leader, while California’s recent passing of its own privacy law is very much dependent on the GDPR. Bureaucratic it may be, but it has become a model.
One of my concerns, though, about the GDPR is that it is not being used effectively by privacy regulators. I gather that only 3% of the 680 staff at our own Information Commissioner’s Office are tech specialists, and there is so far a failure to use the powers of the GDPR, for example, to take on big tech in the way it transfers the data of citizens between its applications. Think about the way that Facebook and Instagram share data. If the Minister wishes to comment on the ICO and its use of the GDPR, that would be welcome.
Of course, what the noble Lord, Lord McNally, also referred to is probably the most important thing and relevant to these regulations: equivalence across different countries and trade blocs. I notice that Japan recently agreed equivalence with the EU, thus surrendering, perhaps, some of its sovereignty to the EU without throwing a temper tantrum. We have not yet agreed equivalence with the EU, and I am told that if we do not reach a deal then the EU will start to consider data adequacy with us only when we become a third country. That will lead to chaos—chaos, I have to say, compounded by the decision of the European Court to reject the Privacy Shield between the United States and the EU. You have a three-way pile-up, with the UK caught somewhere in the middle.
However, there is some cause for optimism in the very dull subject of data. I unequivocally welcome the Government’s recently published National Data Strategy. Launched in September, it addresses some of the real opportunities that the data economy presents. The idea of standardising data across the public sector is extremely welcome, and being able to share data across silos to realise real gains is also very welcome indeed. The focus on data skills and training people in data and in the responsible use of data is a good thing. Some think perhaps that the national data strategy is not ambitious enough. I do not share that view. I think it is a welcome first step and, if implemented properly, will maintain our leadership in this very important area.
However, horizon-scanning ideas are beginning to emerge—for example, the need for companies to value their data. It is astonishing if you look at the accounts of big tech that nowhere will they put a price on the enormous amount of data they harvest from their users. If you put a value on data, you might see companies work harder to make it more secure and—dare I say it or whisper it—it might even be possible for national Governments to tax that data. The wealthiest people in the world really are data billionaires, rather than anything else.
The other emerging idea is that of data trusts. They are a bit like a pension trust where you can put data into, as it were, a separate part of a company and have it governed separately. This could help small companies manage their data more effectively and create whole new industries. For me, all this is very exciting and brings me back to the point to thank the noble Lord, Lord McNally, for first turning me on to data.
Baroness Fox of Buckley (Non-Afl)
To the noble Baroness, Lady Barran, I say that I am hoping that the Government use the opportunity of leaving the EU to review, from scratch, after this SI, some of the laws associated with data protection. I want to emphasise the privacy aspect of data, which I think is hugely important and not without challenges.
When the EU’s GDPR law was introduced in the UK, supposedly to protect individuals’ data and privacy from exploitation by big government, big tech and big corporates, it managed to become a universally hated piece of legislation on the ground, and privacy issues ended up being drowned out by bureaucracy and rules. As the noble Lord, Lord Vaizey, reminded us, the original catalyst for the new GDPR laws was the 2013 Edward Snowden leaks, which revealed that citizens all over the US and Europe had been caught up in the illiberal harvesting activities of the US intelligence services. Many of us were rightly horrified by the US authorities’ invasion of users’ privacy.
However, the reaction to this government state overreach was, ironically, to give the state regulators a whole new set of legalistic and bureaucratic powers, like so much of Brussels law-making. I do not think this has helped. However well intentioned, GDPR data protection has become a barrier to communication, rather than a protector of privacy. If you talk to people in universities, charities or small business, and even medical practitioners, you find they just cannot contact anyone unless they find the record of them having given explicit consent to receiving emails in their backlog. It has all become a bit of a nightmare. It has placed huge burdens on small charities, arts organisations and church groups, which are dependent on databases to raise funds and their profiles. Anyone who breaches the rules is threatened with scarily huge fines. Obviously, that frightens people, and I do not think the GDPR rules are fit for purpose, but, of course, big tech and big corporates can afford to get round those fines, employ lawyers who will exploit loopholes, and so on.
I make this complaint not to underplay the importance of digital privacy but as a plea for sensible data-protection rules moving forward, which will safeguard individual freedom and allow small organisations to competitively accrue data to survive. I am also concerned that there is a real problem in relation to a broader climate of compromising privacy. I note that NHS Test and Trace initially broke GDPR rules, which no doubt damaged the public’s confidence in its appropriate and secure use of data. I am also looking for some reassurance from the Minister that the sort of state surveillance, data collection and data sharing being used in this pandemic, which is short term and should be extraordinary, will not be sold to the public in the future as the new normal. I also have some concerns that, as we speak, the Government are encouraging big tech to breach users’ privacy by demanding that it monitors the communications et cetera of its users, and even censors misinformation. Therefore, the Government are strengthening big tech’s authority and giving it the authority to breach data privacy.
Furthermore, did noble Lords note, earlier this month, that there was a draft resolution from the EU Council to weaken end-to-end encryption—E2EE—putting the likes of WhatsApp under pressure to implement back doors for security services and law enforcement to have access to private communications? Obviously, we are not in the EU now, so the UK can ignore this illiberal proposal but, again, can the noble Baroness reassure me that the Government are not tempted to cite national security and law enforcement to breach privacy? I note the dismay among international journalists, which is just one group who are worried that their data will be used to compromise their professional work and privacy.
Finally, frankly, I worry about a more informal disdain for privacy. I am somewhat dismayed by the number of leaks emanating from the heart of Westminster. WhatsApp, texts, private meetings among colleagues all end up in the public realm or newspapers. This does not show any real regard for private communications. When considering online privacy and data, it is important that we protect private data and encrypted messages, whether from cybercriminals, hackers, oppressive regimes, big tech, big government or even the wrong kind of laws. Actually, this is less about laws and more about having a public debate, establishing that privacy is an important civil liberty, and we should not let the rules get in the way of that discussion.
Baroness Neville-Rolfe (Con)
My Lords, it is always a joy to speak after the noble Baroness, Lady Fox of Buckley, because of her talent for challenge—this time on privacy. This is important, although I think these SIs are narrower than the sort of points that she was interesting us in.
Like the previous regulations that we debated, these make changes to orders relating to life after Brexit—in this case to 2019 regulations on data protection, privacy and electronic communications. Many of the changes are minor and I support them. I refer to my various business interests, most of which are affected by data. I was also the Data Minister at DCMS, and that was during the negotiations on the GDPR which, ironically, we agreed to in good faith to try to help in the negotiations with the European Union in the run-up to the referendum. Indeed, I took over the portfolio from my noble friend Lord Vaizey. Perhaps because he was bored by data, which he has admitted to today, or perhaps because he was so busy with the glamour of digital and its pioneers, he passed it to me with a huge portfolio of ministerial correspondence to deal with, so I had my work cut out. He also gave me the chance to make some progress with nuisance calls, which are a very important consumer issue.
I rise to speak for three reasons. The first is that data is incredibly important to the modern economy. It is the “big oil” equivalent in the 21st century. It is vital to banking, to telecoms, to retail and supply chains, to pop music and entertainment, to aviation, to transport and energy and, with Covid, to pretty much everything else—notably, of course, education, healthcare and border controls. My noble friend Lord Vaizey gave us an idea of the sheer scale of this. He rightly said it was “the new trade route”—I like that as a parallel. It is so important that we cannot slip up in this area. It is possibly even more important than physical trade.
Secondly, I would like to know the latest thinking within the EU on data. I have the honour to sit on the Lords EU Committee. As the noble Lord, Lord McNally, has already said, we tackle data together. It is one of the aspects of the ongoing FTA negotiations that worry us most. The Government in their wisdom— Mr Hancock was the Minister—brought in a special Act, the Data Protection Act 2018, to ensure we were fully compliant with EU rules and norms on exit day. This was to enable the EU to grant the equivalence status we need, which, as we have just heard, Japan has recently acquired. I am not sure I would have done it that way, as the Act is very burdensome, especially for small businesses, charities and local councils. Everyone, including your Lordships, risks breaches, which at the upper limit attract vast fines—an odd way to take back control. Unfortunately, so far, this has not been a successful strategy. As far as I know, we still await an equivalence decision on data. As with financial services, one assumes this is being held back by the EU as a negotiating ploy. To my mind, this is not very responsible, given the huge interest of both sides in proper data flow. Maybe my noble friend the Minister can reassure me and advise that there is a contingency plan for a year or two—as we have seen on the share trading exchanges in the financial services area—if FTA talks falter or fail, or equivalence is formally withheld for any reason. The noble Lord, Lord McNally, touched on this point and suggested that businesses needed to be consulted on contingencies. I certainly look forward to my noble friend the Minister’s reply on that.
My third reason for speaking is that I spent time in Washington helping—or trying to help—to sort out a US-EU deal on the Privacy Shield in 2017, persuading the US to give some ground. I was therefore extremely disturbed at the European Court judgment against the arrangement on 16 July 2020. During discussion on the Trade Bill on 1 October, the Minister suggested that standard contractual clauses had been supported in that judgment and that updated guidance from the Information Commissioner’s Office would be available “as soon as possible”. Is that now available and what does it, or will it, say? Most important of all: will it solve the problem?
In the meantime, I note that the Privacy Shield decision is removed from our regulations, as we have heard. I also see the reference to guidance for small businesses and to standard contractual clause templates in paragraph 13.2 of the DCMS’s helpful memorandum. But I repeat my question: does this solve the problem? If so, can the Minister kindly explain on the record how and why?
In closing, I support my noble friend the Minister and the Government in getting this and other SIs through in a timely manner before exit day, and I very much hope that she will be able to reassure me.
Lord Stevenson of Balmacara (Lab) [V]
My Lords, I am grateful to the Minister for her very clear introduction of this SI. The main thrust of it is obvious: it is an amending sequence to make sure that we are ready for the end of the transition period when it comes. Like the other speakers so far, I have no particular concerns about the issues.
I will make two points, which have been touched on already. There is a rather coy comment in the statutory instrument Explanatory Memorandum about the impact of the Privacy Shield and, in turn, its impact on the Schrems II decision. Put simply, it says that revoking would have no real effect—but I wonder whether the Minister could take us a little further down that route when she comes to respond. It seems to me that the issues here are important. If I am right in saying that the decision we are all waiting for, on the transfer of personal data under the data adequacy agreement, will take into account both the GDPR as it was translated in the Data Protection Act and the LED—including the legal consequences of the directive that deal with that aspect of the work—do we not need to have in our mind the considerations that Schrems brought on the Privacy Shield and related issues? If it is true—and I think it is—that both of these issues will be examined by the EU when it comes to make a decision about data adequacy, we need to have a better response than simply ignoring how the Privacy Shield would have operated, and now cannot operate, and whether or not it impacts on the way in which we do things. I look forward to the Minister’s response on that.
It was good to hear the noble Lord, Lord Vaizey, display both his concern about the dullness of data and his enthusiasm for some of these issues—in particular policy around data, on which his fingerprints are very evident. I welcome him to the unfortunately very small number of Members of your Lordships’ House who take an interest in this; I hope that his interest will also span across into intellectual property, which we have not heard enough about recently. Those who are interested tend to be gathered around this table and need a transfusion of new blood every now and then. I hope that he will be able to provide that—not literally, of course.
The noble Lord mentioned the curious case of the Japan free trade agreement, which is referred to in paragraph 7.6 of the Explanatory Memorandum. I have a slightly different take on that. It is interesting that Japan has accepted the accolade of being found to be data adequate, particularly as its relationship with the GDPR is not the same as ours. It certainly approaches data in a slightly different way. As I understand it, the Japan free trade agreement—we have yet to debate it in your Lordships’ House but hopefully will do so shortly, and I gather that a date has now been found for such a debate in the Commons—has in it a section to do with digital trade. That may not be in the Minister’s main portfolio, but it is important.
The memorandum says that digital trade between the UK and Japan after the transition period has ended will be based on the “free flow” of data. I find that slightly odd and I wonder whether the Minister can comment on it. Surely it is not free flow; it is flow based on the considerations in the GDPR and the LED, transposed into our legislation. A judgment will be made on whether it is a constrained flow, precisely because we have concerns about the free flow of data not being in the best interests of our citizens—a point made by the noble Baroness, Lady Fox.
We need to be a little more certain when we come to this decision because it seems that if we are to make deals with data as part of those functions, we must be secure about what we are actually doing when we sign off these documents. This is an important part of our economy and a crucial part of our relationships with the EU. It would surely not be in the best interests of UK plc to have an agreement with Japan, however important that is, which threw further doubt on our ability to meet the data adequacy concerns.
Lord Wallace of Saltaire (LD) [V]
My Lords, this is the third SI on this topic that has come before Parliament since the beginning of 2019. My colleagues have been dealing with similar revisions to already revised statutory instruments on other aspects of leaving the EU, and on a wide range on subjects. At least here we have the excuse that the CJEU’s ruling on the privacy shield, Schrems II, has necessitated further provision. In a debate earlier this afternoon, the noble Lord, Lord True, told us that the two previous drafts on public procurement had set out adjustments necessary for a no-deal outcome, but that the one we were considering today set out the detailed implications of a deal in that area. I am not sure whether I understood or believed his explanation.
I have several concerns about the implications of this SI. I was told in a briefing a week ago that Dominic Cummings detested the EU’s general data protection regulation and was determined that UK legislation should diverge from that standard. Now he has left the Government, but I am not yet sure that his influence has disappeared. The terms of the UK-Japan trade agreement appear to offer individuals fewer protections for their personal data than under GDPR, as many commentators have pointed out. It states that
“each Party should take into account principles and guidelines of relevant international bodies”,
such as the OECD. The Minister will appreciate the level of concern among the engaged public about lowering the protection for personal data now that we have left the EU. I thank her and her colleagues for offering briefings on the evolution of the Government’s digital strategy to interested Peers and I look forward to reassurance on this important principle.
The free flow of data across borders is a vital element in the digital economy, under appropriate regulatory conditions. I was concerned to read in the Secondary Legislation Scrutiny Committee’s comments on this SI that
“DCMS told us that the Commission was currently assessing the UK for adequacy under both the General Data Protection Regulation and the LED.”
Can the Minister tell us when the Commission is expected to complete this assessment?
Then there is the question of data sovereignty, which of course was one of the issues in the Schrems II case. My colleague and noble friend Lord Clement-Jones has written powerfully about the need to hold on to our national data assets as the foundation of a strong domestic base for digital enterprise but also as a matter of national and personal security. I note that health data has become a sector particularly vulnerable to multinational companies and hacking.
The UK Government are peculiarly relaxed about UK public data being stored on servers in the United States, in spite of the provisions of US law that make all data stored in the USA subject to surveillance, as others have mentioned. Our current Government, from the Prime Minister downwards, have an obsession with protecting the UK’s absolute sovereignty from any incursion by EU regulation or law but seem entirely relaxed about extraterritorial American jurisdiction and surveillance. Many of us anticipate that, outside the EU, the UK will not prove to be an independent sovereign state—let alone a sovereign equal of the United States and China—but will become more and more dependent on the United States and a follower of American rules and regulations. If the UK supervisory authority is to diverge from the GDPR, it is most likely that it will converge on US regulation and take the American side in likely disputes with the EU. Do the Government plan to ensure that UK public data is stored in the UK rather than in the United States?
The law enforcement directive struck a careful balance between personal rights and national security. UK officials and Ministers played an active part in negotiating its terms. Our Government were one of the most active in pressing for further data exchanges related to cross-border crime and terrorism, from aircraft passenger names to intelligence on suspects. Cross-border travel, and cross-border crime and terrorist attempts, will not stop now that we have left the EU, but we need to ensure that such exchanges of data are tightly regulated and scrutinised. Until we left, the CJEU provided that scrutiny. Can the Minister tell us what shared mechanism will now be established to scrutinise such exchanges, strong enough to satisfy defenders of civil rights and personal privacy both within the UK and the EU? How confident is she that the UK will be able to ensure its security by maintaining access to these vital but highly sensitive databases?
I recall hearing Conservative MPs assert that we had no need of Europol—for example—when we left the EU because we could rely on our membership of Interpol. That level of ignorance about the quality of different international bodies, that assumption that an organisation that has Russia and China as significant members is preferable to one in which we shared more information with our democratic neighbours, leaves some of us close to despair about where the Government may be drifting.
I have one final question. How do the Crown dependencies fit into this post-Brexit pattern of data exchange? Can we be confident that their regulation is as tight and as open to scrutiny as within the UK and on the European continent? We do not want an offshore world around our shores through which financial data, dark money and criminal assets may flow unseen. What discussions are the Government engaged in with the Crown dependencies to ensure that no loopholes in our post-Brexit regulation of data are left on our doorstep? The Minister may wish to write to me on this matter.
Baroness Barran (Con)
I am grateful to all noble Lords for their consideration of this instrument and their thoughtful contributions to this debate. The noble Lord, Lord McNally, pointed out the level of expertise around our virtual and physical Chamber. That is no novelty in this House, although having such a number of previous Ministers from DCMS here today feels like a particular form of pressure.
My noble friend Lady Neville-Rolfe and the noble Lord, Lord McNally, focused on the importance of achieving a data adequacy agreement with the EU. Doing this remains a priority of this Government. We are working constructively with the Commission to secure data adequacy by the end of the transition period and are making steady progress. We see no reason why we should not be awarded adequacy since we remain committed to high standards, but the process is controlled by the Commission and we are realistic about the increasingly challenging timelines for completing this.
To respond to my noble friend Lady Neville-Rolfe’s questions about preparation, the UK is taking sensible steps to prepare for a situation where adequacy decisions are not in place by the end of the transition period. In such a scenario, businesses and other organisations would be able to use alternative legal mechanisms to continue to transfer personal data—of course, standard contractual clauses are the most common legal safeguard and would be the relevant mitigation for most organisations.
Guidance can be found on both the GOV.UK website and the Information Commissioner’s website regarding steps that organisations may be required to take relating to data protection and data flows by the end of the transition period. Organisations can also call the Information Commissioner’s helpline for further information.
The noble Lords, Lord McNally and Lord Stevenson, talked about the rollover of Japan’s adequacy decision. Specific UK arrangements have now been confirmed regarding the recent EU adequacy decision for Japan. This secures the necessary protections for UK data as well as EU data, so that data that flows from the UK to Japan will continue to receive the same level of protection after the transition period as they currently do.
More broadly, in relation to the Japan free trade agreement—which was raised, again, by the noble Lords, Lord McNally and Lord Stevenson, as well as the noble Lord, Lord Wallace of Saltaire—the UK-Japan FTA includes three provisions that seek to enhance cross-border data transfer relating to personal information protection, cross-border flows and data localisation. The data provisions the UK has negotiated with Japan exceed those agreed previously in the EU-Japan economic partnership agreement, which contains merely a review clause, and will enter into force on 1 January 2021. The agreement recognises the importance of protecting personal data and commits both parties to maintaining a legal framework that provides for the protection of personal information.
I fear that I may disappoint the noble Baroness, Lady Fox, in her wish to see an end to the GDPR. The GDPR will be retained in domestic law at the end of the transition period, but we will have the independence to keep the framework under review. As with all policy areas, the UK will control our own laws and regulations in line with our interests as we move forward.
The noble Lord, Lord Wallace of Saltaire, questioned the impact on our data protection standards in relation to our trading relationship with the US. We know that, far from being a barrier to innovative trade, certainty and high data protection standards allow businesses and consumers to thrive. As all noble Lords have remarked, data is now the driving force of the world’s modern economies and fuels innovation across all sectors.
I thank my noble friend Lord Vaizey for his kind remarks about our new National Data Strategy. Sadly, I missed his maiden speech, so I am glad to have had the chance of a second session. The National Data Strategy is ambitious and pro-growth. We seek to ensure that people, businesses and organisations trust the data ecosystem, that they are sufficiently skilled to operate within it, and that they have access to high-quality data, as well as to provide the coherence and impetus for data-led work across government.
A number of noble Lords, including my noble friend Lady Neville-Rolfe and the noble Lord, Lord Stevenson, referred to the Schrems II decision. The UK Government are pleased that standard contractual clauses remain in place as an important mechanism for transferring data internationally, but we are disappointed that the EU’s adequacy decision on the US Privacy Shield has been invalidated by the CJEU in its judgment of 16 July. The Government are working with the Information Commissioner to address the impacts of the judgment on UK data controllers.
During the transition period, this includes the ICO supplementing the guidance provided by the European Data Protection Board and the European Commission with targeted advice to help UK controllers. Most recently, and since the Explanatory Memorandum was prepared, the European Data Protection Board has issued guidance on how to assess whether to supplement standard contractual clauses with examples of supplementary measures that could be used, if needed, to ensure that personal data remains protected to the required standard. It has also updated the templates for the standard contractual clauses. These were published for consultation on 12 November and have been updated to cover processor-to-processor and sub-processor transfers. The noble Lord, Lord Vaizey, commented on the boredom of data—maybe this is a small example.
In response to the remarks of the noble Lord, Lord Stevenson, the greatest impact will be on organisations which transfer data to the US, particularly to those US companies who had previously signed the privacy shield. After the transition period, the Secretary of State and the Information Commissioner will have powers to issue new instruments relating to transfers of personal data under Article 46 of the UK GDPR.
My noble friend Lady Neville-Rolfe asked about the burden on SMEs of having no adequacy agreement. Officials in DCMS, who were rightly congratulated on their work in this area, are engaging with SMEs through meetings and webinars to try to help them prepare for a scenario where adequacy decisions are not in place by the end of the transition period. In such a scenario, as noted already, organisations would be able to use alternative legal mechanisms to continue receiving personal data from the EU and the EEA.
The noble Baroness, Lady Fox, asked about the impact on law enforcement of not receiving adequacy. In this scenario, if we do not obtain a law enforcement adequacy decision, competent authorities would be able to rely on alternative mechanisms to continue receiving data from the EU, and transfers will most likely occur using the appropriate safeguards provision.
The noble Lord, Lord McNally, asked how we would continue to influence the development of international data standards. Since the UK is a signatory to the Council of Europe’s Convention 108, that is one route; the ICO also has functions to co-operate with data protection regulators in other countries.
I see that I have run out of time, so I apologise to those noble Lords whose questions I did not cover, but I will write. I thank all noble Lords again for their remarks.
The Deputy Chairman of Committees (Baroness Watkins of Tavistock) (CB)
That completes the business before the Grand Committee this afternoon. I remind Members to sanitise their desks and chairs before leaving the Room.