Lord Stevenson of Balmacara (Lab)

- Hansard -

Copy Link

-

My Lords, in moving Amendment 88, which is in my name and those of the noble Lords, Lord Warner and Lord Clement-Jones, I will speak to the related Amendments 129, 157 and 338. These amendments are probing in nature, and I look forward to hearing the Minister’s response. Their purpose is to add a prohibition to the Bill equivalent to the one found on page 6, line 19, for the Human Rights Act so that it is not possible for Ministers to amend or revoke the GDPR, the Data Protection Bill when it comes into force, or subordinate secondary legislation arising from it. In that sense, it follows the discussions that we have been having in Committee on recent amendments.

One of the first Brexit Bills to reach Parliament was the Data Protection Bill, which completed its Lords stages earlier this year and has just had its Second Reading in the other place. It is a Brexit Bill in two senses: it brings in the legislation needed to give effect to the EU’s general data protection regulation, the GDPR, which will be in force here before and after Brexit; and it aspires to ensure that the rules governing personal data in the UK will satisfy the European Commission that our legislative framework gives a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed in the EU, or the Union, as it is called. This is what is called an adequacy agreement.

The importance of getting an adequacy agreement from the European Commission cannot be overstated. Without it, it would be illegal to continue to exchange personal data with other EU countries after we leave. As well as being worried about whether the DP Bill will be enacted in time before 25 May 2018, this is the biggest issue raised by the industry—investment, location of its businesses and future growth are intimately tied into what happens to our EU adequacy agreement.

To be clear on the timing issue, as an EU regulation, the GDPR will be directly applicable in the UK without the need for an Act of Parliament from 25 May 2018, but how we transition into the post-Brexit world is key to the question of adequacy. One of the judgments we will face is the extent to which our data protection regime has varied from the EU since 25 May 2018. As things stand, this can be done by secondary legislation under the powers outlined in the Bill. To the extent that this is foreshadowed within the Data Protection Bill there can be no objection, provided that these changes are within the scope of the Bill once it is given Royal Assent. Clearly, it is crucial that the powers exist to correct any deficiencies that arise as a result of the current text being retained post exit, since much of it relates to EU structures and organisations that have to be translated. It is also right that there is a power to replace specific articles of the GDPR and, dare I also mention, the recitals that would be deficient and possibly confusing in a UK-only context. But corrections and adjustments in a Bill that has been approved by Parliament are not the same as wholesale changes made by Ministers, which, although there are safeguards, are not prevented under Clause 7 of the Bill before us.

My first argument is that, as with the Human Rights Act, the Data Protection Bill, dealing as it does with important rights of individuals over their personal data, should be protected against changes to that regime made through secondary legislation. It might be argued that similar kinds of changes will need to be made to a wide range of EU-derived legislation to ensure a smooth exit and that there is nothing particularly special about data protection in this regard. But is that right?

I want secondly to argue that there is something special, something extra, about data protection which warrants it being given the additional treatment outlined in the amendments. Remarkable though it may seem, I believe that I have the support of the Prime Minister on this. In her statement on our future economic partnership, she said,

“I am proposing the broadest and deepest possible future economic partnership, covering more sectors and involving fuller co-operation than any previous free trade agreement. There are five foundations that must underpin our trading relationship”—

the fourth of which was—

“an arrangement for data protection that goes beyond an adequacy agreement”.—[Official Report, Commons, 5/3/18; col. 26.]

There is not much detail on what she means by going beyond an adequacy agreement, other than when she said in her Mansion House speech that she wanted to see,

“an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes”—

a modest, though not unimportant, request.

It is not hard to see why data protection is being treated as a special case. Forty-three per cent of EU tech companies are based in the UK and 75% of the UK’s data transfers are with the EU member states. They need us as much as we need them, and everybody wants early certainty. It is an important part of our economy and it would be mad not to do whatever it takes to allow those companies to thrive and grow within the United Kingdom.

However, we now know that the EU takes a fundamentally different stance. In the draft negotiating guidelines circulated only last week, the text reads:

“In the light of the importance of data flows in several components of the future relationship, personal data protection should be governed by Union rules on adequacy with a view to ensuring a level of protection essentially equivalent to that of the Union”.


Like the words of the Prime Minister that I quoted earlier, this is obviously preparatory to a negotiation and it may be possible in time to reach a satisfactory compromise, but that passage reads to me like a setback to the UK position. We are being told that there has to be an adequacy agreement of the type offered to any and every third country—as we will become—which is all that is on offer. Surely the sting is in the final section, where the message is: EU rules apply. Of course, initially they will apply because of the GDPR as implemented on 25 May 2018, but, as time goes on, there will be changes not just in the text but through court judgments and other mechanisms.

An EU adequacy agreement is in effect the granting of a general permission to move data across national borders where the Commission has recognised the data protection standards of the third country as being adequate, but it is by all accounts quite a formidable exercise and it takes time. At the end of the process, there is no graduation. If you pass, there are no distinctions, merits or first-class honours; it is just pass or fail, and you are judged adequate or not adequate. Not adequate means the end of any UK-based data processing industry—financial services comes to mind—as far as intercountry personal data transfers are concerned.

We also know that an adequacy assessment of the UK by the EU will not only evaluate our data protection and privacy laws but examine the totality of UK domestic law, including UK security law and the UK’s international commitments, to determine whether there is a level of protection of fundamental rights and freedoms that is “essentially equivalent” to that guaranteed within the EU. This does not require identical law but laws which offer substantially the same level of protection. Despite the welcome changes made in the Bill, we know that there will be some issues of concern in the area of national security and defence.

The Prime Minister says that she wants an arrangement for data protection that goes “beyond an adequacy agreement”. So what could we do to help here? What would “adequacy-plus” look like? In some senses, the solution is not adequacy agreements but a treaty—however, we can only guess, given where we are in the process. Given that the DP Bill will contain substantial amounts of EU retained law, it surely follows that the regime that it establishes needs to be properly safeguarded and not subject to vicarious amendment if we are to be able to trade data as at present.

If we want to be helpful to the Prime Minister, and I am sure that the noble Baroness, Lady Goldie, would want that, we should make sure that the Government accept these modest amendments. After all, what would strengthen more our chances of an adequacy-plus ruling or provide a basis for a treaty that reassures all those working in this area than ensuring that the DP Bill when it is an Act can be amended only by primary legislation after full scrutiny by Parliament? I beg to move.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

-

My Lords, I thank the noble Lords, Lord Warner and Lord Clement-Jones, for their contributions. The interesting exchange we have had here went a bit wider than we perhaps needed to do on this Bill. But I am afraid that it reflects our concern on two, or perhaps now three, sides of the House that we may have missed something quite important in relation to the Data Protection Bill and its assurance of the fundamental rights involved in it.

The Minister said that she felt that the Government had fully implemented the GDPR through the Data Protection Act—but I do not think that is right. This is for another time, but the amendment to Clause 2 that was made on Report, which we welcomed and signed up to, flagged up that the Government had not quite yet got to the bottom of the argument. The rights deficit that arises with the failure to ensure that Article 8 of the Charter of Fundamental Rights is in place as a back-stop or underfloor element to the Data Protection Act means that there may be dangers going forward. That was the starting point for this amendment. If it is possible to see it more fully worked in the way that was suggested creatively by the noble Lord, Lord Warner, building on an earlier suggestion from the noble and learned Lord, Lord Mackay, with the Bill picking out high-risk areas in our public life which need to be given extra protection, that might be a solution to one of the issues raised.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

-

I am grateful to the noble Lord for his intervention, because it allows me to refer back to the recently received JCHR report, Legislative Scrutiny: The EU (Withdrawal) Bill: A Right by Right Analysis. I am sure he is familiar with it. It says, if I can find the paragraph—I will talk quickly until I do—that there is still some doubt as to whether the treatment accorded to Article 8 of the Charter of Fundamental Rights is covered in the Data Protection Act. The report says:

“The Government … relies heavily in its analysis”,


on the GDPR,

“as a means of incorporating Article 8 of the Charter into domestic law. The GDPR and the Data Protection Bill contain numerous rights for data subjects. However, the Bill does not explicitly incorporate Article 8 … Given the vast number of exemptions and derogations from these rights provided for in the Bill, there is a question as to whether the Bill offers protection that is equivalent to Article 8 of the Charter”.

I put it to the noble Lord that this is an open question.

I know that I am straying into territory that we do not need to, but I started doing that because I was aware that my noble friend the Leader of the Opposition had not yet arrived to take the Statement. I have now been caught going a bit further than I should have, and I apologise to your Lordships’ House. I will sum up quickly. I accept the good intentions from the Minister. May I suggest to her that it might be worth one further discussion on this issue before we finalise our consideration of this Bill and the Data Protection Act? With that, I beg leave to withdraw the amendment.