Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
Debate between Lord McNally and Baroness Ludford(5 years, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord McNally
My Lords, I was planning a peroration, but I think I will leave it at that.
Baroness Ludford (LD)
My Lords, first I have a couple of housekeeping questions which I hope are not too banal. I find considerable difficulty using the legislation.gov.uk website and its search function. Will the Minister ask his civil servants to check it out? Even if you search for “data protection 2019” under UK SIs, both the previous one and this are difficult to find. There was a 19 December version of these regulations, which were replaced in January. I must admit that I have not pored over every line of both to find the differences. Will the Minister explain why that was necessary?
Secondly, I want to ask about the absence of an impact assessment. Paragraph 12 of the Explanatory Memorandum states that:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”.
The pretext is that, while the Government recognise that:
“Data flows from the EEA to the UK may be restricted post-exit”—
because, if there is no deal, we will be plunged into a situation where there is no legal framework and no adequacy decision—
“that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
That is the justification for having no impact assessment. However, if we left with a withdrawal deal and a transition there would be a legal framework, so this instrument, which provides for both a no-deal scenario and one in which there would be no adequacy decision, surely merits an impact assessment as well as the consultation to which the noble Lord, Lord Adonis, referred.
As the ICO has made clear, and as has been mentioned already, businesses may have to deal both with the ICO and with European data protection authorities in every EU and EEA state where they have customers. They may need a European representative if they process the data of people resident in the EEA or have customers in the EEA. There would be additional complexity if they had to comply with both the GDPR and the UK GDPR. They could face concurrent legal claims in both the UK and the EEA. Will the Minister amplify the justification for having no impact assessment? Data flows are crucial to many businesses, not just the tech industry—there is hardly a business or other organisation that they do not affect—so the rather blasé claim that no impact assessment is needed is not justified.
I am a bit confused—it may just be my lack of understanding—about the situation regarding EU adequacy decisions on third countries. Paragraph 2.8 of the Explanatory Memorandum says there will be,
“incorporated into UK domestic law … EU decisions on the adequacy of third countries and on standard contractual clauses, both of which are relevant for … international transfers”.
Paragraph 2.13 says:
“It will not be necessary to retain the EU decisions on adequacy and standard contractual clauses … so these are revoked by this instrument”.
If I have understood the Minister’s presentation, this is explained by the fact that we are recognising and incorporating past EU adequacy decisions, but that in the future, in a no-deal scenario, the UK will take over that function: I venture to suggest that that is not very clearly explained in the Explanatory Memorandum.
Lord McNally
I withdraw the word “farce”. However, while the Minister is putting great emphasis on the good fit between what he is proposing and the GDPR, the reason why that good fit exists, as I said in my remarks, is that the GDPR itself was massively influenced by British officials, who played a major role in its construction. What he is gliding over in his assurances is that if, as is likely, there are changes in the European GDPR in future then we will be coming, like the Norwegians, only to listen and accept—because, make no mistake, if there are changes in future, it will be massively in Britain’s interest to accept them. This is the loss of sovereignty that the whole process is trying to glide over. We will not have the same influence on data protection in future as we have had in the GDPR itself, which is why the fit is so comfortable at the moment.
Baroness Ludford
Forgive me, but I would like to follow up on that. I really think the Minister is overselling what is in paragraph 9 of the political declaration. Last June, the Government issued a technical note about wanting a legally binding data protection agreement, and I described that earlier as a “Brexit in name only” kind of arrangement. They wanted that because there are,
“benefits that a standard Adequacy Decision cannot provide”.
Except for one sentence in paragraph 10 that talks about arrangements for appropriate co-operation between regulators, paragraph 9 is about a standard adequacy decision—no less but certainly no more. It talks about the European Commission recognising,
“a third country’s data protection standards as providing an adequate level of protection”.
It is not what the Government hoped for last June. I do not understand why the Government are trying to pretend. We can all read paragraph 9 once we have googled it and reminded ourselves, so to say that it is more than an adequacy assessment process is simply not true.