Lord Griffiths of Burry Port (Lab)

- Hansard -

Copy Link

-

My Lords, in the middle of all that I shall provide a still, small voice of calm for a moment—perhaps—in keen anticipation of the response of the Minister, who will have to orchestrate the energies that have been released and deal with the blood pressure of my noble friend Lord Adonis.

I have looked at this statutory instrument. I can see 65 pages of intricate cross-stitching, as an untold number of lawyers for untold numbers of hours have pored over pieces of legislation, harmonised what can be harmonised, tweaked what can be tweaked and produced at the end an unreadable pastiche, leaving us reliant on the Explanatory Memorandum. As I sat at my kitchen table on the sunniest weekend we have had this year so far, with pieces of legislation spread out all around me, there was no other method available to me.

I read of changes to the GDPR and the law enforcement directive,

“over which our Information Commissioner’s Office and UK civil servants have had considerable influence”.—[Official Report, Commons, Sixteenth Delegated Legislation Committee, 14/2/19; col. 1.]

That we, once among the architects of how we handle our data as a continent, should now be in the position we are in is a great sadness. I would say the same thing for the European Court of Justice, which we had a formative contribution in shaping. That we are arguing these points in this way is a dreadful place to be.

I echo what has been said to my left and to my right about reciprocity, adequacy and all that. At the moment of leaving, we will, I suppose, accept the remaining members of the European Union as having passed the adequacy test. Indeed, through the Privacy Shield scheme in the United States, we will offer that sense of adequacy even beyond Europe. But, as has been said, the negotiations to have some reciprocity and adequacy expressed for our own case will take an indeterminate time—two years has been mentioned, and the Minister will respond to that in due course. It seems such a strangely asymmetrical presentation of these important facts. I want to ask, as others have done: is it true that the assessment of adequacy for the United Kingdom might take as long as that?

In his opening remarks, the Minister mentioned that, at such-and-such an item in the political agreement, there is reference to the urgency with which certain of these things must happen. Perhaps he will excuse my ignorance on this point, but, if there is no deal, is there no deal in respect of the deal and of the political agreement? If so, the item he referred to falls, as indeed does the deal.

The noble Lord, Lord Balfe, made a speech last week on what happens once you have reached a fixed point, which has again been hinted at in this debate. At the moment, all we are talking about is something that will come to pass on a particular date, just five weeks away, at which point things should square up with each other. But what happens in the two years it will take for adequacy for us to be granted by the negotiating process that will then begin? What happens if decisions about how to act in the area of the management of data begin to diverge? It is not a fixed position. What mechanisms do we have to handle a shifting scene?

My noble friend Lord Adonis mentioned Japan. It did not come into the picture because, at the time this statutory instrument was written, something was happening that had not yet been brought to a conclusion. But we now know what the conclusion is, and we see that Japan will be a much more difficult case to crack than we had thought. Once again, we are in a bad place.

Without a deal—or even, it seems, with one—the ICO will no longer sit on the European Data Protection Board. The noble Lord, Lord McNally, referred to the loneliness of the Norwegian, and it is worth emphasising that all over again. It will be a dreadful thing for us to send our top person to such discussions and have her sit out and have no real practical influence—this is the United Kingdom we are talking about—nor will she be able to participate in the GDPR’s one-stop shop mechanism. This is another terrible place to put her. How should we feel about this? I think it is important.

Incidentally, I see why there is no impact assessment or public consultation: all the people who might have been available to harness such an impact assessment or consultation have been disentangling laws and working as drones to put this SI together. I cannot feel that we are doing anything that any of us would be other than ashamed about with the passage of time.

On the age at which consent is deemed to have been given, are the Government, in opting for 13—there was a spread of ages between 13 and 16 when we considered the Data Protection Bill last year—achieving by secondary legislation what we were reluctant to do just a year ago with the primary legislation? What is our duty of care in such circumstances?