I beg to move,
That this House
has considered Exiting the European Union and Data Protection.
The digital revolution through which we are living is bringing about the fastest pace of change that any generation has ever seen. With advances in technology accelerating, it is likely that this current pace of change will be the slowest that any of us will experience probably for the rest of our lives. This vast change brings with it big opportunities. We have opportunities to communicate, innovate and organise in ways that were simply inconceivable just a few short decades ago. It also brings with it challenges: to harness the technology for good; to mitigate harm; and to make sure that everyone can benefit.
Underpinning this revolution is the fact that the cost of storing and transmitting data has collapsed faster than at any time since the invention of the printing press, and perhaps at any point in history. The new technology then cut the cost of storing information from the cost of a handwritten manuscript to the cost of print, and the revolution now has cut the cost from that of print to the almost infinitesimally small cost of data storage. Data is therefore the fuel of this new digital economy, and getting the rules on data right is mission-critical for strength in the future.
As well as being fuel for change, data is a massive stimulant for our economic growth, jobs creation and innovation. The UK has Europe’s largest and most dynamic digital economy, attracting approximately £28 billion in technology investment since 2011. The UK also has the largest internet economy of all G20 countries, emphasising the fact that data is rapidly transforming our lives, and creating exciting and innovative opportunities right across the world. The impact is, of course, much broader than just in the tech industry itself. Data underpins social interactions: a Skype call to a family member on the other side of the world; our cultural collaboration, as performances are broadcast across borders; and almost every other part of economic activity, and almost all trade. The importance of the digital economy as a catalyst for job creation and innovation continues to increase exponentially, so it is vital that data is kept secure. Our approach to data protection as we leave the EU is straightforward: we wish to ensure the unhindered free flow of data between countries, if that data is held securely and privacy is respected.
I pay tribute to the right hon. Gentleman’s extensive understanding of these issues, not only from his time as a Minister but since. His understanding is so good that he has correctly anticipated the next page of my speech. That is exactly what we are seeking, because it is strongly in the mutual interests of the UK and the rest of the EU that such an arrangement is put in place.
Having just set out my punchline, perhaps I can describe the build-up to it. The goal is for data to be unhindered when security and privacy are respected. It must be unhindered so that trade and communication can be effective, and so that we can innovate in the use of information, including through advanced techniques such as machine learning and artificial intelligence. But data can be unhindered only where it is appropriate for it to go—with data held securely and privacy respected—which means where there are high standards of cyber-security and data protection.
On cyber-security, the 2017 British Chambers of Commerce digital economy survey reveals that at least one in five UK firms were subject to a cyber-attack in 2016, with larger firms more likely to be hit. As more and more citizens, and the wider economy, rely so heavily on digital technology, it is vital to keep data safe from cyber-attack. On the other side of the coin from strong cyber-security is strong data protection. The UK has been a world leader in data protection for a long time, combining privacy with support for dynamic data-driven innovation. We are determined to ensure that, after our exit from the EU, the UK remains a global leader, promoting both the flow of data internationally and high standards of data protection.
For more than a generation, the Data Protection Act 1998 has been regarded as the gold standard in the world. That Act, which was based on European rules set out in 1995, was the result of a piece of work that started under the then Conservative Government, with the legislation enacted by the subsequent Labour Government. That demonstrates the cross-party approach that has been taken to data protection in the UK. Technology marches on, however. It is almost 20 years since the 1998 Act, but the legislation needs to be kept up to date in this changing world. The Data Protection Bill, which had its Second Reading in the other place earlier this week, will modernise data protection legislation, giving citizens more rights over their data while allowing businesses to use modern data management techniques. It offers greater transparency and accountability, thus giving people more reassurance about how their personal data is used by businesses and organisations. Increased accountability and public confidence in how data is used can enhance the digital economy for the benefit of all.
To return to the point made by Stephen Timms, the Bill will prepare Britain for Brexit. It will extend the EU’s general data protection regulation—GDPR—and bring into UK law the law enforcement directive. It will extend the principles of GDPR into many areas of our domestic law, which will help to ensure that we prepare the UK for the future after we have left the EU. The implementation of the Bill will ensure that we preserve the concepts of the Data Protection Act that have served us so well. We will aim to ensure that the transition for businesses, individuals and charities is as smooth as possible, while complying with the GDPR and the law enforcement directive in full. That means we will be as well placed as possible to achieve the unhindered flow of data with the EU through something akin to the adequacy deal mentioned by the right hon. Gentleman. That is strongly in the interests of both sides in the negotiation.
Yes, of course. Our future relationship with the EU will be bespoke. We want to make sure that the flow of data is unhindered, so we effectively seek an adequacy deal, but that is currently scheduled to be negotiated as part of the future relationship. Whether it is enacted through the formal EU mechanism of an adequacy deal or as part of the negotiation is, in a sense, immaterial. What matters is the unhindered free flow of data between the two regimes.
No one would dispute the worthiness of the Minister’s intentions, but the UK will none the less cease to be a member of the EU’s safe data zone following Brexit, which will make it more difficult for banks and other businesses to transfer data between the two jurisdictions. Will the Minister give some reassurance to businesses that are having to make decisions between now and Christmas, and into the first quarter of the new year, that we will secure the transitional arrangements that businesses need and thereby give them certainty that they will be able to continue to operate as they do now, not only when a deal on our future relationship is signed, but in the crucial transitional period?
That is our objective in terms of the goal, but I have one difference with the premise of the hon. Gentleman’s question. He said that our leaving the EU will make things more difficult, but that is not necessarily so, because we seek a relationship that, in terms of the unhindered flow of data, is as high quality as the one we have now. We of course need to secure that as part of the negotiations, and we need to secure it as part of the transitional arrangements as well. Indeed, as we set out in a paper published in August, we are looking at an enhanced mechanism that is not just the normal adequacy deal that other third countries have, but one that enables continued technical engagement between the Information Commissioner and European bodies to ensure that our technical capabilities can continue to inform the future development of data protection standards inside the EU. I did not simply say that we seek an adequacy deal full stop, because we are looking into having a deal that not only reflects a normal third-country adequacy deal, but goes further and ensures that we have a stronger technical relationship between our regulator, the Information Commissioner, and the European regulators.
The UK has more than 10% of data flows, more than three quarters of which are with the EU, and more than 40% of the data centres in Europe are in the UK, so does the Minister agree that it is in the interests of European businesses to secure data adequacy—or data adequacy within a new free trade agreement—as well as in the interests of British businesses?
I agree wholeheartedly and strongly with my hon. Friend, who is an expert in these matters, having just arrived in the House from the European Parliament, where she was a rapporteur on some of the key committees that made a number of the important decisions in this policy area. She is absolutely right. The unhindered flow of data will take place between two regimes that are harmonised, because we are bringing into UK law the GDPR, which is obviously European legislation. It is in the strong interests of the UK and the EU to ensure the unhindered free flow of data after Brexit.
I thank the Minister for so generously giving way. I just wanted to press him on the point that he made about the engagement that will happen at a technical level. In practice, does that mean that our standards will be maintained in tandem with those in the EU, and that therefore there will be no difference between the two?
What it means is that the arrangements are harmonised right now. Should the Data Protection Bill become an Act, as I sincerely hope it will—it does have cross-party support—our existing arrangements at the point of exit will be harmonised. What happens after that will depend on the negotiation of our future relationship, with the UK being sovereign. The point is to ensure that the technical details are informed by high-quality UK technical considerations and the capability of the Information Commissioner’s Office. This is, of course, subject to negotiation. We set that out as something we wanted to consider when we published the paper in the summer but, as the right hon. Gentleman may have heard, we are not yet on to negotiating our future relationship, although we are looking forward to that happening.
During the summer, we published the future partnership paper, which sets out how we ensure the continued protection and uninterrupted exchange of personal data between the EU and the UK. The purpose of setting that out was to offer stability and confidence to businesses, public authorities, charities and individuals. My message to business in particular is very clear. We understand how important this matter is. We know that it is in the strong self-interest of the UK and the EU to get a good deal that involves the unhindered free flow of data. The new partnership should protect the privacy of individuals and respect the UK’s sovereignty, including the UK’s ability to protect the security of its citizens, and to maintain and develop its position as a leader in data protection. Ensuring that we protect privacy while also allowing for the innovative use of big data so that the UK can be a world leader in artificial intelligence are the joint goals of the Data Protection Bill.
On the point about what the general data protection regulation provides as an opportunity, does the Minister recognise that it will actually be implemented through a statutory instrument under the European Union (Withdrawal) Bill? Does he agree that we should therefore have a debate in the House on that SI when we get the opportunity?
I am sure that the Under-Secretary of State for Exiting the European Union, my hon. Friend Mr Walker, will have heard that point—this is a bit like a return to business questions from earlier. Parliamentary procedure is a matter for that Bill, but the hon. Gentleman has made his case. It is very important that the element of the GDPR that is directly applicable and therefore not in the Data Protection Bill is brought into UK law. However, we have designed the Bill so that that can slot directly in, meaning that once we leave, the UK should have a fully consistent, full-spectrum data protection regime under our legislation.
The new relationship should also not impose unnecessary additional costs on businesses and must be based on the objective consideration of evidence. Furthermore, because many of these issues are technical, we will continue to seek ongoing regulatory co-operation between the EU and the UK on current and future data protection issues. By doing that, we will build on the opportunity of a partnership between global leaders on data protection and continue to protect the privacy of individuals. As the paper that we published in the summer reiterates, it is important that we provide clarity and certainty for businesses and individuals as soon as possible, so that data flows are not disrupted when the UK leaves the EU. In addition, this is part of a wider global debate about the flow of data, because it is also incredibly important that we get right our data relationship with the United States, Japan and others.
The Minister is being very generous with his time. I am sure that he is aware that the people of Gibraltar are concerned about the impact of the disruption of data flows. Gibraltar holds many data servers, and people there are very concerned that there might be longer-term impacts on their businesses. Can the Minister say anything about that?
Gibraltar is, and will continue to be, part of the United Kingdom. The Under-Secretary of State for Exiting the European Union leads on issues relating to Gibraltar. He will have heard those concerns and will be able to respond to them in detail. In a sense, all this shows why it is so important to get this agreement right.
I thank the Minister for giving a detailed response. I just wanted to put on record my interest in relation to Gibraltar so that it is not missed.
I am glad that I gave the right hon. Gentleman the opportunity to do so.
A strong relationship on data is beneficial to citizens as it will reassure them that their personal data is subject to robust protection. Maintaining the flow is also important. Once we have left the EU, we will continue to play a leading global role in the development and promotion of appropriate data protection standards with trading partners right around the world.
I am glad that the Minister is committed to seeking this adequacy agreement. Does he recognise that one step that will make that a bit harder—perhaps significantly harder—is the fact that under the terms of the European Union (Withdrawal) Bill, article 8 of the European charter of fundamental rights will no longer be part of UK law? That creates uncertainty about how our data protection law will work. Appeal decisions frequently refer to the actual article, which is part of UK law at the moment. Will he therefore support amendment 151 to the Bill, which would oblige the Government to put back into law the clear assertion that everyone has a right that their personal data is protected?
I thought that the right hon. Gentleman might raise that. I understand his amendment and the reason behind it, which is to ensure that what we are trying to achieve is achieved. However, the removal of the charter from UK law should not affect the substantive rights of individuals when their data is processed, because the charter is not the source of the rights contained within it. The charter was intended only to catalogue rights that already exist in EU law. As he knows, there is not a charter of fundamental rights in the same way in UK law, and it is not necessary. Although I agree with the purpose and intent of what he is trying to achieve, which is to make it as likely as possible that we achieve the adequacy deal and the high-quality arrangements that we are seeking, the amendment is not necessary because of the nature of the charter.
I hope that I have managed to answer Members’ questions. Although I look forward to the debate, I think that we can see strong cross-party agreement on the importance of a high-quality data relationship with the EU once we have left, on ensuring that that works for citizens, businesses and individuals, and on ensuring that we can build on that relationship, which underpins so much in our modern economy.
First, let me apologise for my right hon. Friend Liam Byrne who has recently joined our team and would normally be speaking on these matters. He is currently fulfilling a prior obligation to speak at the Council of Europe in Strasbourg. It is nice to have him on our team as we served together in the Cabinet Office in government, along with my hon. Friend Tom Watson, and we all look forward to serving in government again very soon in the Department for Digital, Culture, Media and Sport.
If I may, I will just correct the Minister, who inadvertently misinformed the House. Of course, Gibraltar is not part of the United Kingdom. It is an overseas territory. It is technically part of the European Union, although it is obviously excluded from the customs union and the common agricultural policy.
The hon. Gentleman is quite right. Of course, Gibraltar is part of the UK family. I should have been clearer about that, but I am glad that we have cleared that up.
As ever, the Minister is modest enough to accept when he makes a mistake and correct the record.
There are few debates that are more important than those concerning trade, especially in the context of the decision of the UK to exit the European Union with all the impact that that could have on the UK economy. As the Minister quite rightly said, in the 21st century there is nothing much more important to trade than data. As we have heard, 43% of EU tech companies are based in the United Kingdom and three quarters of the UK’s cross-border data flows are with other European Union countries. These data flows are essential for UK trade. Approximately half of all trade in services is enabled by digital technologies and the associated data flows.
Effective modern data protection laws that set down strong rights and protections are vital if the public are to have any trust in the use of personal information within the digital economy, the delivery of public services and the fight against crime. Ensuring that the public can trust that their data is handled safely, whether in the public or private sector, is important for us all. We need to get the Data Protection Bill right—as the Minister pointed out, the Bill has been introduced in the other place and is there as we speak—to implement the new European Union rules on data protection contained in the general data protection regulation. If we do not get it right, people will not benefit to the fullest extent from the new digital services that are coming online all the time. I am sure that the Minister will be pleased that the Opposition welcome the Bill. We deeply regret that the Government opposed our previous attempts to strengthen data protection at the time of the passage of the Digital Economy Act 2017, just a few short months ago, but better late than never. In scrutinising the Data Protection Bill, we will ensure that it is not too little, too late.
So far, the Government have talked the talk about their commitment to unhindered, uninterrupted data flows post-Brexit, but the Data Protection Bill does not really set out fully how they plan to deliver on that promise. Even if the Bill succeeds in bringing UK law into line with the EU’s data protection framework by the deadline of
Under article 45 of the general data protection regulation, the European Commission is required to consider a number of issues including, among other things, existing surveillance practices. As Lord Stevenson said in the other place on Tuesday, several commentators have indicated that the current activities of British intelligence services could
“jeopardise a positive adequacy decision” since data protection rules
“do not offer an equivalent standard of protection to that available in the rest of the EU.”—[Official Report, House of Lords,
Vol. 785, c. 129.]
Lord Stevenson asked the Government how they might square this circle, but unfortunately received no answer. I understand we will have the intense and unusual pleasure of a second contribution from the Minister in this debate—I foreshadow that by indicating to the House that I will also seek permission to respond on behalf of the Opposition in a similar fashion—so perhaps he could answer that question during his closing remarks.
The Government seem to have lost sight of the need to ensure continuity during the transition period and beyond. They must have measures in place to reassure all those businesses that have taken advantage of the UK as the gateway to Europe that they will pass the adequacy test and ensure that stability and certainty. Given that we need a new data protection regime for sharing data across the channel and the Irish sea, we may as well get this new regime right for consumers as well as businesses. At a time of increasing concern about the misuse of personal data by certain companies, is not there a need for a far more stringent regulatory structure than that contained in the Data Protection Bill?
Colleagues in the other place have already remarked that the tech giants that dominate the digital economy and the market for data have, for too long, got away with portraying themselves as purely neutral platforms. They are not, as each of their business models—not to mention their share value—is predicated on the data flows that they generate and monetise. It has become a cliché, but in a very real sense data is the new oil in the economy.
We should also speak about children in the context of data protection. The Minister did not mention this part of the Government’s plans in his remarks, but I hope he refers to it when he sums up. Children and young people are at the leading edge of the online world, with 75% of 10 to 12-year-olds and 96% of 13 to 18-year-olds using social media sites, with Facebook ranked at the top. Sadly, this has resulted in children and teens being treated as data assets by business, with their personal data stolen and sold without informed consent on a regular basis. That cannot be right. The Data Protection Bill represents an opportunity to right this wrong, but the current drafting of the Bill does not give us much cause for hope in that area.
The Government have chosen to derogate from the general data protection regulation, as the Minister mentioned, by setting the minimum age for a child consenting to the processing of personal data at 13 years of age, rather than 16. Why have they chosen to derogate in that fashion? As John Carr, a member of the executive board of the UK Council for Child Internet Safety, which was set up under the last Labour Government, has noted, perhaps the age of 13 was chosen because when Ireland—where the big social media companies are based—decided on 13 years of age, the UK’s decision was all but irrelevant. Does the Minister agree with that? If that is not the case, what is his explanation for why the Government chose to make this derogation? They claimed in their statement of intent published in August:
“Child online safety is one of the top priorities for this government”.
Some people might argue that a lower minimum age is good for younger people’s participation in the digital world, but evidence from the regulator, Ofcom, shows quite clearly that fewer than half of 12 to 15-year-olds can identify an online-sponsored result, let alone understand how companies exploit their personal data. If the Government insist on staying the course with regard to this derogation, they must at the very least guarantee to the House today that they will ensure a significant increase in media education and digital literacy among young people. I hope that the Minister will refer to that in his response. This returns us to the responsibilities of social media and other online businesses.
While we may debate where the minimum age of consent should be fixed, the fact that the Bill does not place any requirements on these companies to prevent under-age access to their services is a glaring oversight, especially from a Government who claim that child online safety is one of their top priorities. The Leader of the House so memorably described Jane Austen in this Chamber not so long ago as
“one of our greatest living authors”—[Official Report,
Vol. 627, c. 1004.]
To paraphrase Jane Austen, it is a truth universally acknowledged that the Government are making a complete Horlicks of the article 50 negotiations, as we saw again just this morning. At least, they have now taken up our policy.
Just on a point of English language, it is clearly not a truth universally acknowledged, because I do not acknowledge it.
I give the Minister and the Government credit for taking up our policy of having a transitional period with regard to Brexit to give themselves a little more time. The price of getting data protection wrong would obviously be enormous, because so many companies rely on transmitting data across the single market.
For many years, we have talked of the four freedoms—the free movement of goods, services, capital and people—but there is a fifth freedom, because, in reality, we have created one of the world’s leading regimes for data transfer, which has allowed our tech companies to grow, flourish and prosper. It would be a disaster if any division, dithering or incompetence around the Brexit negotiations now imperilled that achievement.
The Government have set themselves a very tight schedule for passing the Bill into law before the end of April 2018. As I have indicated, the Opposition will support the main principles of the Bill, but there is a great deal of work still to be done, with several areas needing to be scrutinised, and the Government need to be prepared to amend the Bill to rectify some of the inadequacies I have indicated during my remarks.
All of us in this place owe it to the public, and especially to children, to get this legislation right. We cannot afford to fail just because of the dysfunctionality at the heart of the Government, and I hope the Minister will not be complacent on that score.
I will not stray on to the issue of authors, living or dead, but I do want to address three issues in this important debate.
The first picks up from where the shadow Minister left off. As a London MP, one cannot but be aware of the significance of tech companies and the digital industry to our economy. That is part of what makes London the world’s financial capital, and getting our position right on these issues and maintaining it is absolutely critical to our arrangements going forward.
As hon. Members know, I come at this debate as someone who rather wishes we were not in this situation, but given that we are, getting the detail right is absolutely vital. I understand and support the thrust behind the Bill and what the Minister very fairly said in his opening speech, but the detail is terribly important.
Only this week, I was at a meeting of the all-party parliamentary group on wholesale financial markets and services, where a number of representatives of the financial services sector, including Citi UK and UK Finance, raised the real issue that while we talk a great deal about the need to preserve regulatory equivalence and other means of achieving access to the single market once we have left it, data sharing is, to some degree, the elephant in the room and is often not spoken about. The director of one of London’s leading accountancy and consultancy firms described it to me as a huge issue that needs to be tackled.
The Minister is right to recognise the issue, and the Bill, of itself, is right and proper, but getting the detail right will go well beyond that. When he replies, I hope he will be able to assure us that his Department and the other relevant Departments are keeping in close contact with our financial sector. There are people with massive expertise out there, and they are willing to help the Government on this, and it is critical that we get it right for the future health of the UK.
None of us wants to see London’s position as the world’s financial capital diminished, and that is not in the EU’s interests either, because, in many respects, London, as a financial and digital capital, has been a gateway into European markets for many third-country investors. We want that to remain the case, so getting these issues right is terribly important.
My second point was highlighted by Tom Brake. I agree with him about Gibraltar, and I declare an interest as the chair of the all-party parliamentary group on Gibraltar. I recently returned from Gibraltar’s national day celebrations, and you are fondly remembered there as an active former member of the group and as a good friend to Gibraltar, Madam Deputy Speaker.
Cross party, members of the all-party group were struck by the importance of this issue to Gibraltar. Gibraltar has revived its economy in recent years, moving away from what was essentially a garrison-type economy to an economy that is strongly based around financial services and online digital operations of a number of kinds—they are now the most important part of the economy. As the Minister says, Gibraltar is a successful part of the British family—a self-governing British overseas territory that is entirely financially self-supporting. It is to Gibraltar’s credit that it has been at pains throughout this period closely to mirror United Kingdom and European Union regulatory arrangements, and it ticks all the boxes in regulatory terms.
My hon. Friend is absolutely right. The two key messages that one gets on this topic from Gibraltarians across the political spectrum and from all parts of Gibraltarian society are, first, that they do not want to be left behind in any arrangements that the UK makes with the EU27—they do not want to be collateral damage in any sense—and they want to maintain the arrangements and access that we have. Secondly, they want above all to maintain the closest possible friction-free trading arrangements with the UK, where a great deal of their service business is already conducted. Getting that right is terribly important for Gibraltar. It is a small economy with little other resilience, and it really needs our support in getting the data issues right to protect what is a very successful story for the British family.
My third point relates to legal matters. I take the liberty of referring to the Justice Committee’s ninth report from the 2016-17 Session of the last Parliament. As hon. Members will know, I have the honour to chair that Committee, and we issued a report on the implications of Brexit for the justice system. I hope we will soon have a response from the Government to that report; it is one of those that is in Ministers’ in-tray—or, I hope, out-tray—at the Ministry of Justice. Perhaps a gentle nudge might be delivered by those on the Treasury Bench to their right hon. Friends there.
The report is constructive and stresses the importance of information-sharing arrangements for the legal system and the justice system. Part of that relates to the UK’s legal services, and that links in to what I said earlier about the financial services sector in London. The legal service sector underpins a great deal of that financial services work, so getting this issue right is critical for UK firms contracting with parties in the EU or with third parties. At the moment, a great deal of work is written in English law, and that is a great advantage to us, so getting the data sharing right around all those matters is terribly important to the firms involved.
However, the other issue in our report, which is perhaps even more strikingly important, relates to information sharing on policing and critical justice co-operation. In many respects, we have led the field in this regard, and it will certainly not be the intention of the Government or of the Prime Minister, who both as Prime Minister and as Home Secretary has stressed the importance of this issue, to lose any of that information sharing. However, again, the devil is always in the detail in these matters, and perhaps I can highlight what the Committee found.
We took a considerable amount of evidence, and it is clear that the EU offers a number of information-sharing tools. I particularly want to highlight the importance of the European criminal records information system. We are in that at the moment, and it was clear from the professionals in the field who gave evidence to us that we must do all we can to maintain access to that system. It provides access to accurate records of EU citizens’ offending histories.
It is perhaps worth putting on the record a quote from the National Crime Agency. Its evidence was:
“Through ECRIS, the UK is able to exchange tens of thousands of pieces of information about criminal convictions each year that help police and other law enforcement agencies to investigate crime, protect the public and manage violent and sexual offenders.”
Is the hon. Gentleman able to clarify for me whether that is one of the data exchanges that are subject to the European Court of Justice rulings to ensure safeguards for those exchanges of data? If I am correct, how does he see that relationship continuing with the UK post Brexit?
My understanding is that it is likely to be subject to the ECJ, and we concluded that while we might seek to remove the direct jurisdiction of the ECJ in some matters, the idea that we will not have an ongoing relationship with the ECJ on such matters is unrealistic. That will be important.
We want to stay in ECRIS, but we noted that there are no previous examples of a non-EU member having access to it. We will have to seek a bespoke arrangement to achieve that, and I hope that Ministers regard that as a high priority.
On the subject of valuable data exchanges, does my hon. Friend agree that we also need to continue to exchange passenger name records, because that is vital for our safety? The exchange of passenger name records was, of course, led through the European Parliament by a British MEP, championed by the Prime Minister and helps to keep us safe when flying.
My hon. Friend is right and I pay tribute to the work that she did on this and several other issues for the United Kingdom during her time as a Member of the European Parliament.
The evidence given to the Justice Committee was clear that these are interlocking parts of a criminal justice co-operation system and we cannot cherry-pick some bits and not others. It is important that we find ways of maintaining equivalent means of access across the board on these criminal justice co-operation measures. I have mentioned ECRIS and I hope that the Minister will reassure us that finding a way to stay in it is a high priority for the Government.
We should also wish to remain in the second-generation Schengen information system as it gives the UK real-time access to all European arrest warrants. The European arrest warrant is a valuable tool and it is a great help to British law enforcement agencies. I say that as someone who worked as a barrister in criminal law for 25 years before I came to the House. That was at a time when we did not have that means of getting back from abroad villains who had committed crimes in this country. It is a great advantage that we do now have that ability, and since certain amendments were made to the way in which it operates, there are many more safeguards for UK citizens when an EAW is issued than was previously the case. It is a tool that has been refined and improved, and it would be a great advantage for us to stay in it.
SIS II—I apologise for all the acronyms—is also important because it contains, for example, alerts on missing persons. In all, it gives us access to 66 million pieces of data, which helps our justice system, and it is important that we continue to have access to it. The National Crime Agency said:
“Loss of access to SIS II would seriously inhibit the UK’s ability to identify and arrest people who pose a threat to public safety and security and make sure that they are brought to justice.”
I hope that the Minister will confirm that that, too, is a high priority for the Government.
I stress my agreement with the hon. Gentleman’s remarks about these sharing systems. An example given to me by the Avon and Somerset constabulary involved the awful case of a member of the public viewing child pornography live in this country. Through data-sharing with the continent, the police services in Spain were able to raid the person delivering the data and bring to an end the crimes being committed here and in Europe. Such data sharing must continue, to protect our constituents and our friends on the continent.
The hon. Gentleman is right, and that was the tenor of the evidence that we heard from all the law enforcement agencies. The benefits of data have also meant that crime has been internationalised in a raft of ways, including of course classic cybercrime, but also in international fraud, organised crime and, sadly, sexual offences through the internet. Having a full range of measures to deal with those issues is critical.
I wonder whether the hon. Gentleman’s excellent Committee had an opportunity to look at the contingency plans that would be necessary for all the valuable databases he has set out, should the UK crash out of the EU in March 2019.
The clear evidence given to us was that the only viable contingency plan would be a significant transitional period. It would not be possible to replicate those systems in the event of a supposed clean-break arrangement, and it would be necessary to have transitional measures. The evidence did suggest that those could vary from sector to sector, in terms of the length of time required and the amount of detailed work to be done, but it would be a serious setback for us to leave the European Union and the current data-sharing arrangements without something being put in place to bridge us over the leaving period for implementation or a clear end state for our ongoing relationship in the areas of data sharing and criminal justice co-operation. It is in everybody’s interests that we achieve that and it is an important issue to bear in mind.
We concluded that data sharing is not an area in which we can take a risk. Indeed, we concluded that these matters are so important that one would ideally wish to see them decoupled from the rest of the Brexit negotiations. Divorce bills or otherwise, public safety and security work for our interests and for every one of the citizens of the EU27 too. The right hon. Gentleman makes an important point and I agree with him.
I have talked about two key systems and I want to highlight their interrelated and technical nature because it is important to put that on the record. As well as those two systems, we also have access to Prüm, a regime for exchanging biometric information and vehicle registration data. It reduces the time taken to find matches from tens of days to 15 minutes when fully in place. We have recently gone into Prüm, and the chairman of the Criminal Bar Association, Francis FitzGibbon QC made the point to us that—and I shall quote his stark words in full to highlight their significance—
“if someone lets off a bomb in Berlin and makes his way to London, the police will be able to get hold of the fingerprints of the chap they arrest for double parking, or whatever it is, instantaneously.”
That gives us the swift ability to track down serious threats to our safety across the continent. We have not yet implemented Prüm, but we have signed up to do so and I hope that we will make it clear that we will implement it while we remain in the EU and we will seek to continue in it once we leave.
Our concern was that both Norway and Iceland—which are not members of the EU, although they are Council of Europe countries and have association arrangements with Interpol and others—have waited some years to have access to Prüm. We have started from a closer position and it would be a tragedy if we went back to the same place in the queue as them, giving away something that we are already moving into. I hope that the Minister will reassure us that the Government will attend closely to those specific points during the negotiations.
Our conclusion was that all these matters, extradition arrangements, the EAW, the data sharing that underpins prisoner exchange arrangements, together with our arrangements on judicial co-operation—on which British judges work closely with their counterparts—and of course our membership of Europol are all part of a system that comes together to protect us in criminal justice and security matters. They were described by our witness Professor Wilson as part of a system that
“you cannot disaggregate because, in my view, if you take out elements of the system, you have a less effective system for protecting British citizens on the streets.”
That was also the clear evidence from the Northumbria Centre for Evidence and Criminal Justice Studies. The evidence was overwhelming. Sometimes, as lawyers, we get cases in which the evidence all points one way, and that was very much our conclusion from the evidence to the Committee’s inquiry. These are all important matters. Of course, they are but one part of the data protection and sharing regime, but they are critical.
We received the clear message from practitioners that whatever we do and however we get to these arrangements —I hope that the Bill, when it is brought to the House, will help us to achieve this—the end state has to include a means of making sure that our data sharing and data protection regime are sufficiently close to those of the EU27. We shall, therefore, have to have a means of tracking changes and replicating them when it is likely to be to our mutual advantage to do so. Otherwise, with the very best will in the world, a law enforcement agency or police officer in the EU27 might not be able to share potentially critical information with his or her UK counterparts because he or she might find themselves in breach of the data regulations in his or her own EU27 country. That cannot be in anyone’s interest. I hope that the Minister will reassure us that creating such a system will be the centrepiece of our objectives on data sharing in relation to criminal justice and co-operation matters.
At the start of this week, the Prime Minister told the United Kingdom to be prepared for the possibility of a no-deal Brexit. The warning was clear and unambiguous that with gridlocked negotiations a no-deal Brexit was becoming increasingly likely. Of course, the effects of a no-deal Brexit would be catastrophic. The consequences for our economy, our trade and our EU citizens are obvious, and they have been well documented. Less obvious, and among the multitude of hugely important issues that rarely make the headlines, is the impact on data protection of the UK leaving the European without a deal.
Data protection has been described by The Economist and others as:
“The world’s most valuable resource”.
Kevin Brennan described data as “the new oil”. Currently, the UK Government define data protection as the controls on how personal information is used by organisations, businesses or the Government. Everyone responsible for using data has to follow strict rules, and they must make sure that the information is used fairly and lawfully. Information that is held on individuals can include their name, address, credit history, employment history, salary details and even internet browsing history. I am sure that hon. and right hon. Members would wish some, if not all, that information to remain as secure as possible. Robust and strict data protection is therefore absolutely essential to avoid any improper use of that information, whether that be online fraud or identity theft, and to keep it from falling into the hands of people or organisations with which we would rather not share it.
Data protection may not be something that we think about every day—indeed, it may not even cross our minds from one year to the next—[Interruption.] Perhaps that is not the case for my hon. Friend Patrick Grady. Whether we think about data protection on a daily basis or not, its importance is not diminished. That is why it is absolutely vital that the level of data protection we currently enjoy as EU citizens is guaranteed on day one of Brexit, so that businesses and individuals can continue to rely on existing data flows. It is no exaggeration to say that millions of jobs across Europe rely on data protection and data processing to a greater or lesser extent.
As the Minister acknowledged, the security we receive from our data protection legislation already has a distinctly European flavour, originating as it does from the 1995 EU data protection directive, which was adopted into UK law in the Data Protection Act 1998. Since then, the way in which we create, collate, access and use data has changed enormously, as has the amount of data we create as individuals and as a society. In recognition of that, in 2016 the EU introduced a new legislative framework for data protection: the general data protection regulation, of which we have heard so much, and the police and criminal justice directive. Both those pieces of legislation form the basis of the Data Protection Bill that is in Committee in the other place. The regulations will apply in member states from 2018, and EU member states are required to transpose the directive into national law by the same date.
The Scottish National party agreed with the Minister when he said in February that the GDPR was a “good piece of legislation”. We were pleased that it was included in the Queen’s Speech, and that the Government made it clear that our current data protection framework would be amended and made compatible so that we can adopt the new regulations. We very much welcome the Government’s move to implement the GDPR, giving people more power and control over their own data.
In normal circumstances, I believe that that piece of legislation would be relatively uncontentious. However, as it has done and I believe it will continue to do, Brexit makes the subject of data protection hugely problematic. If we are to leave the EU in March 2019, what is the future for our newly agreed and freshly implemented cross-border, pan-European arrangement with our EU partners? What will be the consequences for businesses and individuals if the UK suddenly finds itself on the outside without a deal to continue the free flow of data not just with the European Union, but with the safe nations with which the EU has secured a reciprocal deal? At a stroke, could the United Kingdom lose its right to exchange data with the United States, a nation on which the Secretary of State for International Trade and President of the Board of Trade seems to be pinning so much hope for our future trade?
We are in an era in which geographical boundaries for data do not exist. Today, as probably every speaker in this debate has said, almost half the large EU digital companies are based in the UK, and a remarkable 75% of cross-border data flow out of the UK is with EU countries. We also have significant data flow with the United States, which occurs because we enjoy access to the EU’s privacy shield agreement. There is no such thing as sovereignty where data is concerned. Currently, we are a signed-up member of an international network committed to safeguarding data. In this global economy, the unfettered free flow of data across international boundaries safely and without delay, cost or detriment is absolutely essential, not just for individuals and businesses but for agencies that need to work across international boundaries. We have heard about many of those agencies today, and they deal with matters such as crime prevention, disease control and national and international security.
For the UK to be able to take full advantage of the continued free flow of data with the rest of the European Union post Brexit, the most straightforward route would be for the EU to issue an adequacy decision. An adequacy decision, as we have heard, is given to a third country—a country that is outside the EU and the EEA—to allow it to operate securely and freely within the framework of the GDPR. It can be given to countries that meet the required standard of data protection, a criterion that currently applies to the United Kingdom. The problem is, however, that an adequacy decision is designed for third countries, and the UK is not—yet—a third country. Indeed, it will not be one until the end of the Brexit process. There is no existing legal mechanism to enable the EU to award an adequacy decision to a country in advance of its leaving the EU. As the leading data protection lawyer, Rosemary Jay, said, the EU has to go through a legislative process, and it is simply not in the EU’s gift to do this in an informal way. I cannot comprehend what the Minister meant when he said that he sought “something akin to” an adequacy deal.
The negotiation of the EU’s future relationship with the UK is not some sort of informal approach; it is a very formal set of talks. We hope that it will lead to a good deal, which we hope will include this area. That is exactly what I meant.
I thank the Minister for his point, but I stress again what Rosemary Jay said: the Commission has to go through a legislative process, and it is not within the EU’s gift to do this in an informal way. There could be a further complication in the UK’s achievement of an adequacy decision. As the hon. Member for Cardiff West said, ahead of granting an adequacy decision the European Commission is obliged to consider a variety of issues, such as the rule of law, respect for human rights and legislation on national security, public security and criminal law.
That being so, there is a very strong suggestion that the Investigatory Powers Act 2016 may jeopardise the ability of the UK to receive a positive adequacy decision. The Investigatory Powers Act has already been accused of violating EU fundamental rights. Eduardo Ustaran, the internationally recognised expert on data protection law, has said:
“What the U.K. needs to do is convince the Commission—and perhaps one day the European Court of Justice—that the Investigatory Powers Act is compatible with fundamental rights. That’s a tall order”.
While the Government are understandably desperate to secure an adequacy decision, the harsh reality is that a lengthy and challenging legal process may have to be undertaken before that happens.
I fear the Government are in denial about this. Indeed, when questioned by the Culture, Media and Sport Committee back in February about what would happen on the day after Brexit if we do not have an adequacy decision in place, the Minister said:
“we seek unhindered data flows but we want that to happen in an uninterrupted way—that is to say, on the morning on which we have left the European Union, it is very important that our data rules work, so that there is an uninterrupted system in place”.
He is absolutely right—I could not agree more—but that did not answer the question about what happens if we do not have such an adequacy decision in place on the day we leave.
Just yesterday, at the Digital, Culture, Media and Sport Committee, I asked the Secretary of State a very similar question about the need to have an adequacy decision in place when the UK leaves the EU. Her answer was that she was
“very hopeful of getting that deal”.
I am sure she is and I wish her well, but at the moment there is no deal in place. The longer negotiations are at a stalemate, while we continue without the legal mechanism to get a third country deal, and, given the issues in relation to the Investigatory Powers Act, securing the agreement the UK needs and absolutely desires is becoming less and less likely.
Another potentially huge problem arises if we do not secure an adequacy decision by the day on which we leave the European Union, because not only will we be outside the EU and isolated from the other 27 member states, but we will also be outside the EU-USA privacy shield agreement. The consequences of that happening may be unthinkable for UK businesses and individuals, but it is absolutely incumbent on the Government to think the unthinkable and to be adequately prepared for it. Putting all their eggs in the one basket of hoping to secure a negotiated adequacy decision is a very high stakes game, so I again ask Ministers: where is the plan B should there not be an adequacy decision? What assessment has been made of the UK not having such a decision in place on the morning on which we leave the European Union, and when will Members of the House be able to see that plan B and that assessment?
Nobody wants such a situation to arise—we want a deal to be struck—but even if the Government’s faith is rewarded and we do secure an adequacy decision, the UK faces another problem. As the GDPR evolves over time, as it surely will, the UK, in order to maintain its membership, will be required to amend its data protection law to keep in line with European law. The EU charter of fundamental rights and freedoms is now central to EU data protection law, and the charter is interpreted by the European Court of Justice, yet clause 6 of the European Union (Withdrawal) Bill quite clearly states that EU courts will cease to bind UK courts and tribunals following withdrawal. I suspect that if the UK does manage to secure an adequacy decision, in order to keep it, it will have to fall into line with the European Union Court of Justice.
As I said at the start, we welcome the Bill as a move to ensure that people have more control over their own data and to bring the legislation into line with the huge technological advances since the 1998 Act. We welcome the commitment to implementing the GDPR, and to the UK remaining fully involved in protecting EU citizens’ data post-Brexit. We question, and we will continue to question, the Government on how they can take this forward when an adequacy decision is not guaranteed and while there are still unresolved issues about the Investigatory Powers Act, at the same time as they are seeking to remove the UK from the jurisdiction of the European Court of Justice.
Of course, it does not have to be this way. The best, easiest and most straightforward way to ensure that there are no disruptions to data flows between the UK and the EU after Brexit is for the United Kingdom to remain a full member of the single market. The agony and the fear for millions of businesses and individuals of being cut off from both Europe and America if we do not secure an adequacy decision could be avoided by our staying in the single market. Why put people and businesses through this?
After all, no one in any of the nations of the United Kingdom voted to leave the single market. In fact, two of the four nations of the United Kingdom voted to remain in the European Union. We are in this situation because of the Conservative party’s extreme interpretation of Brexit, and that is why we are now actually having to prepare ourselves for what, hitherto, was unimaginable—a no-deal Brexit, with the catastrophic consequences that it will inevitably have for our society and our economy.
It is a great privilege to follow Brendan O’Hara. He is a near neighbour of mine geographically, although on political issues we seem to be streets apart. I was pleased to hear him say—I assume he was speaking for the SNP as well as for himself—that he wants a deal. We all want a deal—[Interruption.] From the way SNP Members sometimes conduct themselves, we would think they take some perverse delight from the fact that we might not get a deal. We all want a deal, but I must tell him that, frankly, leaving the European Union means leaving the single market and the customs union. We cannot divorce those two things—it is the same thing. That was well rehearsed during the debate that led up to the vote last June.
That is the worse-case scenario of being on the receiving end of a flow of regulation with no input or influence over that at all. No, leaving the European Union means leaving the single market and the customs union.
I do not think that there is much virtue in rerunning the Brexit debate today, when we are discussing data, but I will say that it was well rehearsed, especially by the remain side, that leaving the European Union meant leaving the single market.
I am grateful for the opportunity to make a short contribution to this debate, and I do so from the perspective of having spent the past 30 years of my life in the world of sales. I should declare at the outset that I am a fellow of the Association of Professional Sales, a UK institution with a fast-growing global reputation. Its primary purpose is to raise the standard of sales professionalism, ethical sales conduct, and the overall talent and capability of sales professionals.
I recognise that this debate is about data protection as we leave the European Union, but let me be absolutely crystal clear: I am optimistic about the future of our country outside the European Union. I am not blind to the challenges that lie ahead, but I encourage Opposition Members who have a decided propensity to take a dim view of our future to brighten up. We have a great deal going for us in this country, and rather than cowering at the prospect of a global Britain, we should now embrace the opportunity.
So much of our national sales capability, which will be key to our global success, will hinge on our commitment to embracing new technologies. We in this country are driving the fourth industrial revolution, and I want our country, by which I mean—before my SNP colleagues shout, “Which country?”—the United Kingdom and Scotland—
No, they are not separate things. I want our country to be at the forefront of this revolution, because it represents a massive competitive advantage and can be the primary means of unlocking the perplexing conundrum of Britain’s productivity gap.
The fourth industrial revolution is powered by data. It has already been said a number of times in this debate—perhaps it is a cliché—that data is the new oil. Increasingly, data makes the world go around. I grateful to Guy Lloyd, a fellow of the Association of Professional Sales, for his graphic description of the digital age we live in, which is creating new information exponentially. Incredibly, 90% of data in the world today has been created in the past two years alone. Our current daily output of data is about the equivalent of 10 million Blu-ray discs which, if stacked, would be as high as four Eiffel towers. It does not take a genius to predict that, as the world becomes more connected and individuals become more empowered through technology, the data deluge will only increase.
Digital tools, fuelled by big data, are making it increasingly easy for business organisations to profile the marketplace they operate in, to identify the best potential customers for their business, and to improve the effectiveness and efficiency of their lead generation activities. Using artificial intelligence search engines, businesses trawl company reports, social presence and analyst commentaries to find companies that are likely to have a problem suited to their offering, and then identify who to talk to and how to connect with them based on their prospects’ employee social profiles. Artificial intelligence will also identify problems in the prospect journey through the opportunity pipeline, even predicting possible issues before an initial engagement, and suggesting workable solutions. The algorithmic examination of large amounts of data collected across the complex interactions of customers, and employees of customers, supports the design of much-improved customer experience. This is the world we are already living in.
Data protection should be about providing assurance that the data each of us provides to public bodies and private organisations is safe. The foundation principle of data protection must be trust. Each individual citizen must feel that their rights are protected in law, and they should also know that their rights are protected in law. The true focus of any data protection regime must be to provide reassurance to the individual citizen that their personal data is theirs to own, control and share as they choose, and that they can make decisions to share their data on an informed basis. Public and private corporations must be accountable for how they use that information, and they must collect it ethically and transparently.
There is no argument from me that the data protection regime within the European Union is a robust system that has been designed to provide significantly enhanced rights and protections for individual citizens within the European Union. My concern, however, is that data protection can also be a carefully constructed protectionist measure that works to the commercial advantage and convenience of some of the largest multinational companies. So often the voices of lobbyists and corporations drown out the better nature of our policymakers and, more often than not, that is certainly true of the European Union. EU regulations can become so complex and byzantine that new entrants to the field—I am talking from a commercial perspective—from emerging markets are crowded out. I seek assurances from the Minister in that regard.
Some Members will undoubtedly be in favour of protectionist policies, but I believe in free trade. The EU has built a wall from such regulations—a wall that we must be ready occasionally to breach. From my own point of view, the idea of being able to interact with the 3.7 billion humans who are on the internet is not only desirable but vital for the growth of many companies beyond the relatively small numbers within the European Union. We can position Britain at the heart of this global data processing industry. We have a proud history of this—from the Babbage engine to Skyscanner, via the work at Bletchley Park and Manchester 1. In my constituency of Stirling, superb IT companies are already expert in the field of data processing, and CodeBase Stirling, an organisation for supporting emerging companies, many of whom will be developing new applications in this field, has recently located there. Students at Stirling University are learning about big data in a master’s programme, and the work carried out there on big data analytics as well as machine learning will bear fruit long into the future.
We in this country have the skills and the knowledge. Members who think that we will sink without the EU have little faith in the spirit of the British entrepreneur. Brexit gives us the opportunity to think globally, and think globally we shall. Rather than the existing adequacy model of the EU, we need to consider partnerships based on shared understanding of privacy rights and a shared goal of ensuring that consumers give informed consent to their data being used. A shared international framework would give surety to companies operating globally that there are common standards to adhere to, at the same time as protecting consumers.
I am listening with great interest to the hon. Gentleman’s speech. If he is saying that we should not participate in the adequacy arrangements, is he disagreeing with the Minister’s comments that we should have an arrangement akin to the adequacy requirements?
No, I did not actually say we should not participate. I am saying that we should think further afield and establish relationships that involve agreements on a shared understanding of what privacy rights are, and we should ensure that consumers outside the EU, too, give informed consent to their data being used. A shared international framework would give surety to companies operating globally.
Many people of my generation will be disappointed that instead of personal rocket packs we have mobile phones and Twitter, but there is something about our modern life that fills me with hope. We can come closer together as a world community of individuals living together, with more respect for our fellow beings, as we see the barriers of culture, language and custom fall around us. But we need to be prepared for the times in which we live. We owe it to the people of our country and to our companies to keep our regulatory regime up to date as technology changes and emerges. Our laws should be responsive to change, and adaptive to the social and economic changes that technology brings about. I believe we can achieve that far more readily in our own Parliament and that we can make the UK a world class data-safe partner.
Privacy and the protection of our data are vital, given the way we live today. We create footsteps and tracks in all aspects of our life, whether through the purchase of a product at an online shop, the presence of our mobile phone accessing a public wi-fi, or the use of a social media platforms. Every aspect of our lives can be and is recorded by companies that use complex algorithms to profit from this information. Let us be honest: this can often lead to greater convenience for us as consumers. The way we surrender our personal data can be considered transactional. We surrender some of our personal freedom to get access to a product or service that we want. This needs to be made clear to people who often access services without knowing the sacrifices that are being made to their privacy. People might think they are getting things for free when in fact they are paying with their valuable personal data. Sometimes this is a good deal but sometimes it is not, and it is for informed consumers to make that choice. Rights enshrined in law should be clear and easy to understand. The use of personal information should be subject to regulation, but not in such a restrictive way as to make it impossible to handle. Informed consent should be our watchword.
The internet is the best vehicle for economic growth that we have, and with data being produced at a rate of 2.5 billion gigabytes per day, it is not going away. It is also a tremendous opportunity. Our responsibility as lawmakers is to anticipate and follow technological change, and to understand how the technologies and habits that our people form require new protections in law. It is also our responsibility to ensure that the laws that we make are proportionate and do not generate a protectionist climate for our companies, but instead protect our citizens.
I believe that this is another area of public policy where the opportunities presented to us by Brexit are substantial. We can make our laws more responsive, we can break down barriers to trade with consumers around the world, and we can build a proper data protection regime that protects our citizens.
I am pleased to follow Stephen Kerr and will pick up on one or two of his points.
David Cameron has a great deal to answer for. To win support from his party’s right wing for his leadership bid in 2005, he promised during the leadership campaign to withdraw Conservative MEPs from the European People’s party, the main centre-right grouping in the European Parliament, and he delivered on that commitment after the European elections in 2009. By pushing his MEPs to the fringes in the European Parliament, he significantly reduced British influence there and more widely in the EU’s structures, which meant that Britain did not get its way in Europe on an increasing number of issues, by contrast with previous Governments, both Labour and Conservative. The referendum result—the decision to leave the EU—was the inevitable outcome of that spiral of loss of influence, kicked off by his commitment in 2005.
One way to look at the referendum is as a choice between sovereignty and prosperity. In the referendum, the country chose sovereignty, and of course that was a wholly honourable choice to make, but we need to be honest now about the resulting loss of prosperity. Leaving the EU, if it is seen through in the way envisaged now, will make us poorer. Ministers need to stop pretending otherwise, for their own sakes, as well as for the sake of the country, because once the reality becomes clear, the punishment inflicted on the Conservative party will be all the greater if people have not been told what is ahead.
An official in Germany put it to me like this a few months ago: “If you want the benefits of the single market, you have to obey the rules of the single market.” Ministers continue to tell us that we can have the benefits but no longer obey the rules, but that will not be the outcome of these negotiations. It could not possibly be because, if it was by some fluke the outcome, Germany and lots of other Parliaments in the EU would surely vote it down when asked to decide on the deal.
This week, we have at least had some recognition of that reality from the Prime Minister. She has announced that in the transition period from April 2019 we will continue to obey the rules. The writ of the European Court of Justice and the free movement of people will continue into the transition period. As far as I could understand it, the announcement in her statement on Monday seemed to be that we would stay in the single market and the customs union, other than in name. I presume that this is a face-saving device to avoid the embarrassment of a clear U-turn. It would be much better to be honest and commit to staying in the single market and the customs union during the transition period at least, as argued by my right hon. and learned Friend Keir Starmer, the shadow Secretary of State for Exiting the European Union, and my right hon. Friend the Leader of the Opposition. The Prime Minister’s announcement does at least hold out the prospect of delaying the damage to our prosperity for a couple of years, but we need to recognise that that will not avoid the damage to our prosperity altogether.
The challenge is perfectly illustrated by the subject that we are debating this afternoon, and I welcome the fact that the Government have given us the opportunity to have this debate. Mr Speaker characterised my interest in a different area of policy earlier this week with the phrase, “some would say anorakish”. How much more that applies to the area of policy that we are debating this afternoon. The Minister was absolutely right in his opening remarks to underline just how important this policy area is for our prosperity. It underpins the wellbeing of the economy. Indeed, there is growing evidence that one of the reasons why we have failed on productivity growth in the UK in the past few years by contrast with other countries is that the internal management of companies in the UK has been digitised to a lesser extent than elsewhere. If we are to make progress on that—it is vital for our prosperity that we do—then data communications will be even more important in the future than they have been in the past.
I very much enjoyed and appreciated the contribution of Robert Neill, who chairs the Select Committee on Justice. He underlined, quite apart from the economic considerations, how vital it is for our security and safety that we can continue to communicate personal data with other European Union countries.
The Minister was right to make the point at the outset that our data protection laws in the UK originated with an EU directive in which the UK was very influential. The Conservative Government who negotiated that directive had a powerful voice at that time. Sadly, as I explained earlier, more recent Conservative-led Governments have had a much less powerful voice.
I agree with the right hon. Gentleman that the British MEPs had a strong influence on the GDPR as it was developed in Europe. One of the reasons the GDPR is a good piece of legislation that we can happily bring into UK law is because of that influence. We had that influence after we had left the EPP, so perhaps he will withdraw his earlier comments. As for this argument about lack of influence, the chair of the justice committee in the European Parliament is a British Labour MEP, so is he saying that the lack of influence that he describes is because of the Labour party?
No, certainly not. I am delighted that my Labour colleagues in the European Parliament have retained their place in the Socialist group and therefore their influence. The problem for Britain has been that, by leaving the EPP, Conservative MEPs have had much less influence. I am not saying that they have not had any influence—that is not at all the point I am making—but they have had a great deal less. Therefore, the British Government have been much less able to get their way in Brussels than previous Conservative and Labour Governments, and that is what inexorably led to the referendum result.
The key foundation stone for data protection regulation in Britain has been article 8 of the European charter of fundamental rights, which states:
“Everyone has the right to the protection of personal data concerning him or her.”
The European Union (Withdrawal) Bill—the Minister and I had an exchange about this earlier in the debate—removes the charter of fundamental rights from UK law, so article 8 will no longer apply. The Select Committee on Exiting the European Union took evidence on that point from lawyers yesterday. Sir Stephen Laws, former first parliamentary counsel, argued that the removal of article 8 was a good thing because nobody can quite know exactly what it really means, so that we end up with judges deciding in appeal cases, which makes the law uncertain. He made a very reasonable case. Far better, he said, for Parliament to decide the detailed law and regulations, so that everyone knows where they stand.
However, Dr Charlotte O’Brien of York Law School pointed out that in practice, judges deciding points of data protection law in Britain often refer explicitly to article 8. A reading of their judgments suggests that article 8 frequently sways the decisions that they reach, so it is likely that its removal will mean that their future judgments will be different from those that they have made up until now. We can have an interesting debate about which arrangement is better, and, as I have said, I think that Sir Stephen Laws made a perfectly good case. Our problem, however, is that we have to achieve a declaration from the European Commission that UK data protection law is adequate. That is crucial for the future of our economy.
A point that I hope will reassure the right hon. Gentleman is that EU jurisprudence will be brought into UK law through the European Union (Withdrawal) Bill, although EU jurisdiction will no longer continue.
The proposal is that article 8 will not be there any more. The problem is this: where in the European acquis, which is being brought into UK law, is the clear statement that everyone has the right to have their personal data protected? It is not there, and if it is not there, it will be significantly harder for the European Union to recognise that UK data protection law is adequate.
This is an incredibly important point, so I am grateful to the right hon. Gentleman for allowing me to intervene. The right is there: it is in the GDPR, which will be brought into UK law through the Bill.
The problem is that it is not. There is no clear assertion anywhere in UK law—other than, at present, in article 8—that everyone has the right to have their personal data protected. As I have said, and as was said in the Select Committee yesterday, judges, when making judgments on these matters in appeal cases, often refer to the wording of that article to reach their conclusions.
There is a perfectly good case for arguing that it is better not to have these slightly vague declarations, because the law is clearer if it is all spelt out in legislation that has gone through Parliament, but our problem is that that is not how the matter is looked at in Brussels. Over the next year and a half or so, the Minister has to persuade people in Brussels that our data protection is adequate, and if we no longer have a clear statement in UK law that everyone’s personal data is protected, that task will be a good deal harder.
My right hon. Friend is making extremely important points. The very fact that we are having the debate shows that there is uncertainty. When those who may be not so friendly to us in other parts of Europe are looking for cause to be difficult, does that not absolutely give them that cause?
As chair of the all-party parliamentary group on data analytics, my hon. Friend is in a very good position to understand just how important this is for our economy. He is absolutely right: if we open up that uncertainty in our regulatory arrangements, it will be harder, perhaps impossible, to achieve the adequacy agreement that we need.
I am grateful to the Minister for committing himself to seeking that adequacy agreement. Like Brendan O’Hara, I was slightly concerned about what he meant when he referred to something “akin to” an adequacy agreement. What we need is an adequacy agreement that is formally defined. We need that declaration from the Commission, so that UK businesses can continue to exchange personal data with businesses in other EU member states.
My right hon. Friend is making an excellent speech and some very pertinent points. Many tech firms and other companies in my constituency are concerned: we need to have such agreements in place—in particular, on data protection—and not having them in place will have a hugely detrimental impact. Does my right hon. Friend agree?
The firms in my hon. Friend’s constituency are absolutely right. If we do not achieve that adequacy declaration, it will become illegal for personal data to be exchanged between the UK and the countries of the EU, and there will no longer be a lawful basis for large swathes of businesses in the country to continue to operate.
Perhaps we can draw an analogy with my right hon. Friend’s earlier remarks about the customs union and single market and say that the Government are seeking an adequacy agreement, but not in name on this occasion.
The problem is that if it is not an adequacy agreement in name, it is not clear what it is. [Interruption.] Yes, an inadequacy agreement, perhaps.
We also need this to be clarified soon, because otherwise businesses will have no alternative but to make arrangements to shift the activities into the other EU countries to avoid the risk of them no longer being lawful—and if this is left to the last minute, with some late-night deal at some distant point, these companies will have gone.
I pay tribute to the hon. Gentleman for his work on that Committee, and his suggestion could well solve the problem. What I have proposed is amendment 151 to the European Union (Withdrawal) Bill, to require Ministers to put on to the statute book a clear statement that UK citizens have a fundamental right to the protection of their personal data. But he is right that we could equally well insert that wording into the Data Protection Bill, which is before the House of Lords at present. I should also point out that, splendid though it is, I cannot claim credit for the wording of my amendment, as it was drafted by techUK, in recognition of the issue’s importance to the industry.
I want to make a final point about the Data Protection Bill and postal direct marketing. I welcome the fact that the Government are implementing the GDPR, or general data protection regulation, but the Bill changes the basis for opting out of postal direct mail communications. At present, if somebody does not want to receive advertising addressed to them through the post, they can opt out by signing up to a register. As I understand it, the Bill will change that and companies will not be allowed to send people postal direct mail unless they opt into receiving it. I think that is the current arrangement for direct email, but there has been an opt-out arrangement for postal direct mail until now. There is a lot of concern that that change would be very damaging to the UK direct mail industry, which is a substantial industry, and that it is not required by the wording of the GDPR; indeed, legal advice has been taken on this point and the GDPR does not require that change to be made. If that is right, the Government are gold-plating the regulations that have come to us from the EU. They are absolutely right to be implementing the GDPR and to be doing so scrupulously, but they should not be gold-plating them, as I fear they might be in this case.
I am grateful to have had the chance to set out to the House a bit more fully the thinking behind my amendment to the European Union (Withdrawal) Bill, and hope I might have persuaded the Minister that, after all, it might be an amendment that he can support.
Thank you, Madam Deputy Speaker. I am grateful for the opportunity to make my maiden speech in this important debate. Although I have spoken several times already in the Chamber, questioning the Prime Minister and other Ministers, this is indeed my formal introduction to the House.
The past five months have been extraordinary, and it is a great honour for me to represent Warwick and Leamington, a constituency that also includes the town of Whitnash and a number of villages. I wish to place on record my thanks to them. I would also like to thank my predecessor, Chris White, for the work he did as a constituency MP, and specifically his support for the charitable sector and the local games industry. He served the community well, and I wish him well. It is work that I will most definitely build on.
It is a happy coincidence that my maiden speech should coincide with the news, published yesterday in The Independent and by the BBC, that Leamington has been declared the happiest town in the UK. Delightfully, the survey that led to this finding was conducted after
My constituency is not only the happiest place in the UK. Apparently, it was one of the first provincial towns in England to possess the other key attribute of happiness —a good range of Indian restaurants. You do not need to take my word for it: whilst a predecessor, Sir Anthony Eden, liked to quote from Shakespeare, in this instance I am going to quote from the historian, Lizzie Collingham, author of a definitive history of curry:
“Leamington was one of the first provincial English towns to have a selection of Indian restaurants. The area’s very proximity to Coventry and Birmingham, where many of Britain’s Bangladeshi and Pakistani immigrants found work in the car industry, made it, where Indian food is concerned, one of Britain’s pioneering towns. It still is.”
As if to underline that, one of our very many local establishments was proclaimed winner of Midlands Curry House of the Year and shortlisted for the national awards. So none of you should need any inducement to visit the locality—and you will be most welcome.
But good eating is not all it has to offer. My constituency has been home to such luminaries as Joseph Arch, a 19th-century pioneer in unionising agricultural workers and in championing their welfare. Arch also agitated for the widening of the franchise—ambitions that were to some degree fulfilled in the Representation of the People Act 1884. In the ensuing 1885 general election, Arch was returned as the Liberal MP—we can all make mistakes—for North West Norfolk, making him the first agricultural labourer to enter the House of Commons.
My constituency was also home to Randolph Turpin, who was considered by some to be Europe’s best middleweight boxer of the 1940s and ‘50s, and went on to become the undisputed middleweight champion of the world, in defeating no less than Sugar Ray Robinson. And it was home to Sir Frank Whittle, one of Britain’s greatest inventors, the creator of the jet engine, and indeed once to my hon. Friend Toby Perkins, the as-yet-unknighted Toby Perkins.
Warwick is famous for its glorious castle, the seat of the legendary kingmaker Guy of Warwick. It is the medieval county town for a shire that once included both Birmingham and Coventry. Today that would be some county. Leamington, its noisy neighbour, is perhaps now the happiest town in the UK but was certainly not favoured by the late John Betjeman in his poem “Death in Leamington.” Fortunately, Betjeman saved his greater wrath for elsewhere, famously inviting “friendly bombs” to rain down upon a different town. In fact, despite being a major manufacturing centre, the constituency was not the victim of significant bombing in the second world war, unlike neighbouring Coventry, sadly, but during the war it was the seat of an important team of camoufleurs—artists and engineers who played a leading role in developing the art and science of camouflage. It is interesting that one of the constituency’s most significant contributions to the defence of our country back then was through design.
Design and innovation permeate the recent history of our towns. In the post-war period, the legendary Donald Healey set up his car business on the Emscote Road in Warwick, going on to produce some of the finest sports cars the world has ever seen. Not far away, Malcolm Sayer was designing the E-Type Jaguar. I am proud of my constituency’s impressive contributions to design and technology and its continuing role in developing innovative technologies of all sorts. That continues to this day with the world-leading Warwick Manufacturing Group, which is part of the University of Warwick and has collaborated with industry, Government and other universities in developing battery cell technology, new materials, and digital applications. It is therefore no surprise that what is still referred to as the gaming industry finds itself home here. Along with Dundee, it leads the industry with more than 50 local businesses, employing 2,500 people and generating £188 million in turnover, and it is about to grow exponentially. I am proud that it is leading the revolution in not just virtual reality, but augmented reality. I can honestly say that I have seen the future— through a headset.
The constituency’s relative economic buoyancy is exactly that: relative. It has depended on the single market and the customs union, together with our openness to attract the best in the world. Football clubs, such as my beloved Arsenal, have benefited similarly. Warwick and Leamington is an exceptionally diverse, international and multicultural community. Engineers, designers, academics and working people of all sorts from Europe and around the world have made the area their home. As Leamington’s proud restaurant history reminds us, it has also long been home to distinguished communities originating from the Indian subcontinent, who have played, and continue to play, an important role in the economic and cultural life of the west midlands. By way of example, our magnificent gurdwara is now celebrating its 50th year. That diversity explains in part my constituency’s openness to international business and migration. It voted remain in the EU referendum. Since the vote, residents and representatives of Warwick University, Jaguar Land Rover and other businesses have consistently voiced their concerns to me about the impact of Brexit. They tell me that they simply want clarity and certainty—urgently. Economic matters are critical in their planning, and they expect Government responsibility, not party infighting. I am confident that they would agree with me: no deal, no way. They are right to worry.
The prolonged lack of clarity over the post-Brexit landscape on the British economy is an issue for the majority of my constituents. Some have already voiced their concerns about potential exclusion from the EU’s data protection framework, which would impede the continued free flow of data among EU and EEA states, without which businesses and the economy will suffer. The Lords EU Select Committee states that we are facing a dangerous cliff edge in that regard. Data is critical in our society and for our businesses, but we need strong safeguards. I echo the words of my hon. Friend Kevin Brennan about what data means, particularly for the younger generation, who, interestingly, can be viewed as a data commodity, but we must not allow our young people to become a commodity.
My constituents are already noting Brexit’s impact on the region’s ability to attract and retain the talented skilled workers on which it relies, and they are worried about the continuing weakness of the economy overall. The economy is extremely fragile and vulnerable to currency fluctuation and interest rate changes. Since 2015, we have witnessed a surge in unsecured household debt, which has reached levels not seen since 2007-08. Consumption growth—the sole driver of the UK economy for nearly a decade—is faltering, partly because much of that growth was driven by the £35 billion windfall that households received in PPI repayments. That is some economic stimulus by any measure. The effect of that short-term windfall is now tailing off. Since 2011, that extraordinary, one-off cash injection helped to fund, for example, higher retail car sales and new kitchens, but for little longer. Car sales have been falling since April 2017, which is as good an indicator as any that consumer confidence is declining significantly. Investment growth—the real driver of wealth—has failed to return to the UK after the financial crash of 2008, but only here. Growth in all other developed nations now exceeds the UK’s.
Like so many of the Government’s claims, assertions about Conservative economic competence have proven ill founded. UK debt has continued to rise. The Government have failed to meet their own economic targets. Real wages have fallen by 15% for many in the public sector and have been stagnant for most. CPI inflation is rising and will soon exceed 3%. Household budgets are being truly squeezed. Sterling has fallen by up to 20%; by contrast, personal unsecured debt has sky-rocketed.
Individually, those elements would be concerning enough; together, they augur serious concern. At the same time, the cost of housing is rocketing. In my constituency, average rents have increased by 26% in the past six years. In the past 10 years, only 50 council homes have been built in the area although 2,400 people are on the housing waiting list. Last year, 705 people applied as homeless to the local authority—130% up on 2010, compared with a 29% increase nationally over the same period. Some 3,600 people in my constituency regularly use our food banks. There are several night shelters in our towns and in recent months the numbers attending have doubled. The work there is increasingly important and I place on the record my thanks to Margaret, Chris, Susan, Vishal and all the other volunteers.
Quite simply, the housing market is broken. As has been confirmed by a Prime Minister not known for her Marxist principles, the energy market is also broken. As with so many Government announcements these days, it is too little, too late. Energy is ripe for revolution and it is vital that we should take this opportunity to democratise it. That will bring prosperity to all, as well as address the urgent crisis of climate change.
In his maiden speech in 2010, my predecessor stated that Warwick and Leamington had excellent frontline services. He was right: in 2010, we did. Seven years on, we do not. We have lost police—in Warwick, we have lost the police station. We have lost teachers, full-time firefighters, and health professionals from the NHS. Many are demoralised. I will not continue because all hon. Members face the same reality in their own constituencies.
What can we do? The International Monetary Fund has one suggestion: rebalance the tax system. A report just published by the IMF finds that higher income taxes for the rich would help reduce inequality without having an adverse impact on growth. Perhaps implementing some of the Labour party’s policies would be a good start to getting us on to a more secure economic footing as we face the enormous disruption of Brexit. Perhaps that is an announcement for next week. My constituents, whether residents or businesses, need, now more than ever, a strong Government ready to protect jobs, deliver a shared prosperity and enable all to flourish. Above all, I will speak for them. That is the vision that I will represent in Parliament. I thank hon. Members for their attention.
I congratulate Matt Western on his excellent maiden speech. It is a delight to hear that his constituency is such a happy place to live in. As the representative for Chelmsford, I inform the House that Chelmsford, too, is one of the happiest places to live in the country. Long may the hon. Gentleman and I have that in common. I listened with interest to his potential solutions for the British economy. We all want to find those. I do not believe that increasing taxes is a solution; sadly, that could lead to less demand for the Jaguar Land Rovers that the hon. Gentleman’s constituency is so proud to produce.
This debate is vital. Data is the lifeblood of the modern economy. Our ability to analyse vast quantities of it has totally transformed our understanding of the planet in which we live, of how we interact as a society and even of the very make-up of our bodies. Data is revolutionising our healthcare with amazing personalised medicines. The chief executive of our civil service explained earlier this year how data is fundamentally changing the delivery of the civil service, with huge benefits to improve the experience of the citizen, make Government more efficient and boost business in the wider economy. Consumers benefit, too: data flows mean we can access online goods, services and digital content never before thought possible; we get increased choice through cross-border platforms and cloud computing; and this underpins so many of those key financial services that consumers take for granted today.
The digital world is borderless, and the ability to transfer data seamlessly across borders is what underpins so much of our trade with Europe today. As I said in my earlier intervention, techUK suggests that the UK is home to more than 10% of all global data flows, with three quarters of those flows being between the UK and the rest of Europe. That data flows because of trust, and data protection is key to keeping that trust and fundamental to maintaining this trade. There are no World Trade Organisation backstops for data, and, as the Minister has said, securing an adequacy agreement is a priority, as it must be. Crashing out of Europe without a deal on data would not be a good deal, for our tech, medical and medical research sectors, for consumers or for our financial services. That is why it is so important that we make sure that there is an adequate deal on adequacy.
The GDPR set the global standard on data protection, and, as some in this House have mentioned, the UK was crucial in delivering that deal. The committee in the Parliament was chaired by a British Labour MEP, and a lead negotiator was a British Conservative MEP who now sits in the other place. On this side of the channel we should not underestimate how sensitive the issue of the treatment of personal data is. In Britain we have a long history of freedom, but in other countries in Europe people have sometimes found that their personal data has been abused by their state and their liberty has been constrained. The right to privacy of personal data is a treasured, fundamental right, which is why it is such good news that our Bill on data brings the principles of the GDPR—the European regulation—into British law. As we leave the EU, if we are to have that deep trading partnership in the future that the Prime Minister wants to deliver, we need to reassure our European neighbours that we will continue to act responsibly on personal data. We need to put the GDPR into British law, as the Bill does.
As the Minister correctly said, the digital world is continually evolving, so we need to be ready to evolve our digital legislation continually. That is why I was extremely pleased to hear the Prime Minister talk in her Florence speech not only about ensuring we have the same standards and regulations as we leave Europe, but about how she is committed to delivering an ongoing regulatory dialogue on key issues and areas such as this.
I do not wish to underestimate how challenging it will be to ensure that we deliver the data adequacy agreement. I remember spending time in Washington and Brussels during the EU-US privacy shield negotiations, and that was the No. 1 issue being discussed in the Oval office and at the top of the European Commission. It was the top priority, rising above everything else on the agenda. Nevertheless, on data there is good will on both sides to get a deal.
Given my hon. Friend’s experience in the European Parliament, does she agree that it is not only vital that we get the right agreement as we come out of the EU, but that we establish the right arrangements for the ongoing updating of our law in co-operation with other jurisdictions such as the EU or the USA? It is not just a one-off task; it has to be ongoing and the Government need to ensure that the right systems are in place so that it is ongoing after we leave the EU.
My hon. Friend is spot-on correct. We need not only to get things right and workable on the day of exit, but to maintain an ongoing relationship. As the Prime Minister has said many times, we are not leaving Europe; its countries will remain our closest neighbours and currently account for nearly half our trade. Ongoing co-operation on issues such as data protection is not only vital for our future but will help us to continue to lead the global dialogue in this policy area.
Some people seem to think that European politicians want no deal; I do not believe that to be true. From the conversations I have had, I believe that the vast majority of politicians throughout Europe want an ongoing, deep, bespoke partnership with the UK, and data is just one of the many areas in which they want that. Just this morning I welcomed to the House a colleague from the European Parliament: the Spanish lady MEP who helped me to deliver, through the EU, the end of mobile phone roaming charges. She is a leading light in digital policy and an excellent ally on digital issues. She explained to me how right now, throughout Europe, they are looking at the free flow of non-personal data. The UK called for legislation in this area, and Europe is now delivering. The leadership on the issue in the European Parliament has just been allocated to a member of the European Conservatives and Reformists—the Government’s European sister party.
We continue to want to lead and work on these issues, not only up to the time of Brexit but in co-operation thereafter. I say again: crashing out of Europe with no deal will not be good for the UK or for Europe, and it is not what the vast majority on this or the other side of the channel wants.
I thank the hon. Lady for her intervention, but I simply do not agree. On issues such as digital data and digital transfer, the UK continues to lead, has an ongoing dialogue and is engaged. The fine details of the negotiations are moving forward. Nobody ever said it would be easy. We do need to keep focused on delivering a deal, not on throwing mud at each other.
Let me make a few points about the Bill, as I do believe that it is great. As Opposition Members have suggested, techUK has raised concerns about whether the withdrawal Bill will give all the necessary powers to bring the GDPR into British law and whether the right to personal data is clear enough in British law. I was very pleased to hear the Minister say that he wants to ensure that there is an absolutely seamless transfer of what is currently held in European law on to the British statute book. We need to ensure that the tech sector is absolutely happy with the way that that is worded. That does not necessarily need to happen through the amendment to the withdrawal Bill, but we need to ensure that the Minister’s stated intention of a seamless transfer is delivered.
I wish to ask the Minister one question. One of the fine details of the GDPR is to make sure that it is implementable without putting an unnecessary handbrake on businesses or other organisations that need to be able to analyse data in order to use it for the benefits of society. There is some concern that the Intellectual Property Office in the UK may be gold plating a little through some of its draft guidance. In particular, the data controller is asking organisations to name third parties who would rely on an ongoing transfer of data, whereas the GDPR says that they need to give only the type of category—not the name of the individual organisation. We need to be especially careful that we do not gold plate, or cause companies to have to put in extra constraints.
Fundamentally, the ability to collect, communicate and understand data is pivotal to a modern economy’s success. It needs to work not just in the UK, but across borders. This is a massive step in ensuring that we will continue to act as good neighbours both to Europe and others in the way that we treat personal data. I am delighted to see that we are moving on with that process.
It is a pleasure to follow my regional neighbour, Vicky Ford. May I congratulate my hon. Friend Matt Western on his excellent maiden speech? He started by suggesting that he was going to talk about happiness, which is something that we could all do with much more of, and then quite rightly began to reflect on the everyday experiences of his constituents which, sadly, involve less happiness. He did manage to conclude on a positive and optimistic note for the future. I congratulate him on his contribution and on choosing to make it in a debate in which, as we have heard, the stakes are so high. When the public voted last year, I doubt that any of those who voted leave were actually voting to make data transfers more difficult, to make business more complicated, to stop the planes flying, to find video games unplayable, and to find regularly used websites suddenly becoming unavailable. If
Some have described the movement of data across Europe as the fifth freedom. In fact, my hon. Friend Kevin Brennan made exactly that point. I suspect that most of us, and most of our fellow citizens, are only dimly aware of what actually happens to our data, but it does really matter. The design, extent and provisions of the British data protection framework will have profound implications for the nature of UK-EU trade relations. Today’s debate is particularly timely given the proceedings on the Data Protection Bill that are already under way in the other place. It is vital that we get this framework right.
I chair the all-party group on data analytics, and I have seen at first hand the way in which data has moved to the centre of every sector. Wherever we go, people are talking about data. I hope that the Minister will accept an invitation to meet the all-party group fairly soon to talk about how we can build awareness not just of how transformational this is likely to be, but of how complicated it will be to ensure that we get it right.
As we have heard, data is an increasingly valuable commodity, with the UK conducting three quarters of its cross-border data exchange with the European Union. The EU data economy was worth €272 billion in 2015 and has continued to grow rapidly since.
We have played a key role within the European Union in developing the GDPR, which will come into effect in the UK from May 2018. The European Commission proposed this new legislative framework back in January 2012 as an update and a levelling mechanism to protect citizens across Europe. It has taken five years of discussion and hard work for the regulation to be agreed. This significant measure for the UK does a number of things. It significantly widens the definition of personal data, transforms the notion of consent, carries severe fines for companies in case of non-compliance, and fundamentally alters the way in which companies can store and process personal data.
Back in February, the Minister told the House of Lords EU Home Affairs Sub-Committee that the GDPR was a “good piece of legislation”, and I welcome the Government’s sensible decision to adopt the GDPR into UK law. But, as many have pointed out, there are problems ahead, not least with some elements of the relationship with the Investigatory Powers Act 2016. Both techUK and Ukie—the Association for UK Interactive Entertainment—which covers things such as video games, highlighted that concern when the Government published their paper in August, and both noted that the paper did not address an issue that the Government knew to be problematic.
Why would it matter if data flows were interrupted? Well, we are good at data in the UK. Our digitally intensive industries account for 16% of gross value added, 24% of total UK exports and 3 million jobs. The digital sector is growing 32% faster than the national average. We are at a significant competitive advantage in the digital economy. At 10% of GDP, the digital economy makes a larger contribution to our economy than that in any other G20 country, so it really matters to us. Beyond that, it is a vital enabler in the overall UK economy and society. We are increasingly digitised, with all sectors increasingly reliant on data flows. They underpin retail, health, finance, manufacturing and the automotive industries, to name just a few. The Government have confirmed that:
“Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”
That confirms that they do understand and appreciate the importance of data protection.
Additionally, data flows benefit consumers, allowing innovation in products and services, streamlining performance in industry and improving global communication. They reduce business costs, leading to more investment in research and development, and improve productivity. In some ways, the problem is that our membership of the European Union gives us special advantages. In a profound irony, we actually have more control over our own privacy regime when we are within the European Union than we will have when we are outside it. Let me explain how that comes about.
Outside the EU, we become a third country in terms of our relationship with the European Union. The Government say that the best way forward is an adequacy agreement, or something akin to one, which would need to be secured with the European Commission. There are alternatives, but they are difficult, unstable and particularly ill-suited to UK businesses, especially small and medium-sized enterprises. The large corporations may be able to manage, but the small businesses will not. UK firms, particularly the start-ups in my part of the country, would have to jump through hoops and hurdles that their European counterparts would not have to. While our companies would be spending time and money agreeing standard contractual clauses with customers, their EU counterparts and competitors would simply be getting on with business.
My hon. Friend is absolutely right. Much work needs to be done to raise awareness of what the GDPR will mean. That is a challenge, but it is a good thing in general. The worry is that if it will not be available for our smaller companies in the future, that already challenging task will be made even more difficult. In fact, it will be so difficult in many cases that small companies in areas like mine will simply up sticks and go somewhere else where the process is easier.
I fully recognise the points made by Government Members. They understand a lot of this and say that an adequacy decision would be the best possible solution to ensure the
“unhindered exchange of data within an appropriate data protection environment”.
The partnership paper clearly states that future data protection co-operation
“could build on the existing adequacy model”.
If we are to achieve that objective, ensuring the continued alignment of the UK’s data protection framework with the EU’s will be key. That should, therefore, be the primary consideration in any discussion of the provisions of the Data Protection Bill. Any deviation from the provisions of the GDPR could put at risk achieving a successful outcome as we seek an adequacy decision.
We also need to look to the future, because if we do get that adequacy agreement, given the close alignment of UK and EU data protection frameworks, the Government must prioritise ICO involvement in the formulation of future EU data protection provisions. As we have heard, the EU will inevitably update the GDPR as time and technology progress. However, we risk these changes being dictated to us, and a duty needs to be placed on the ICO and the commissioner to maintain regulations that keep the UK adequate with the latest version of EU law. Even if we can achieve that, there is a great irony here, in that we will, effectively, be dictated to—it is not quite the taking back control that some were seeking.
Perhaps more important is that just saying that we would like an adequacy agreement is not the same as actually getting one. We might wish for one, but will we be able to have it? Will others agree? There are various problems, which I hope the Minister will address. The first is time. Obtaining an adequacy decision is feasible only for third countries. It follows that, to get one, the UK will need to have left the EU at the time of the ruling, which leads to the very real danger of a data protection cliff edge. In evidence to one of our Committees, Stewart Room, head of data protection at PricewaterhouseCoopers, said that obtaining such a decision could take “many, many years”. So this week’s talk of no deal is highly risky when it comes to data. The risk of a cliff edge is very real and very dangerous.
Then there is the Investigatory Powers Act. There is a danger that some of our neighbours may no longer be inclined to share data with a country that takes a different view on privacy issues from them. As members of the EU, our different traditions are respected; as a third country, things could be very different. The provisions in the Investigatory Powers Act, and the current investigatory practices in our intelligence services, which allow the police to access personal data such as communications or internet data without a requirement for independent judicial approval or for the issue being investigated to be of a certain level of seriousness, will be a legitimate concern for some countries in the EU when negotiating an adequacy agreement. Perhaps the Minister can tell us what work has been done on this and what assurances have already been received.
The ruling of the Court of Justice of the European Union in the Watson case with regard to the UK’s surveillance and bulk data retention regime is also important. The Court’s decision stated that the UK’s surveillance and data retention laws—then the Data Retention and Investigatory Powers Act 2014—exceeded the EU’s view of what is strictly necessary and appropriate. That model of retaining communications data is broadly mirrored in the new Investigatory Powers Act—the replacement for DRIPA. It is hardly inconceivable, therefore, that the EU could decide that the UK does not reach its standards for adequacy. On this rather complicated set of issues, I should say that I am grateful to Renate Sampson of Big Brother Watch for explaining some of these points to me.
My next concern was about the European charter of fundamental rights, but it has already been touched on in the excellent discussion triggered by the contribution from my right hon. Friend Stephen Timms, whom I will be supporting in his efforts to secure amendment 151 when we discuss the European Union (Withdrawal) Bill.
There is a further point about that Bill. We know that it is controversial and that there are concerns that ministerial alterations can be made without parliamentary votes. If the GDPR were to be altered during the repeal process, and citizens’ personal data rights were in any way diminished, we could be prevented from being anywhere near the level of protection deemed adequate by the EU. The Information Commissioner has made it clear that for the UK to achieve the gold standard of data protection regulation and enforcement, the right way forward is to fully adopt the GDPR, and that position must be maintained.
UK businesses and organisations have already started preparing for the GDPR, which is good. That should stand us in good stead when it comes to an adequacy discussion. It is vital that we enshrine the GDPR in our law permanently in a clean Data Protection Bill so that data can still flow, businesses can still run and communications do not just stop. However, it is of the utmost importance that we commit to these rules for the long term and provide certainty for individuals and businesses. The economic consequences of not being able to move personal data would be very serious, with companies having to double-store data. That would take a long time to implement, and it would have serious economic and environmental costs, and run the risk of our not being able to operate properly across borders. It would, at a stroke, put at risk the UK’s place as a global hub for tech and other data-intensive industries. There is a huge amount at stake.
There is, of course, a simple alternative that looks more and more obvious with every passing day to some of us, as Brexit morphs into wrecks-it. But until we reach the point at which sense prevails, I hope that the Minister will share with us information on the work being done, especially on fine-tuning the relationship between the GDPR and the IPA, to ensure that the data keeps flowing and we can remain part of the modern world.
I congratulate my hon. Friend Matt Western on his maiden speech, which reminded me of a happy childhood visit to Warwick castle. I am sure that he will make fantastic contributions to the House in the future.
The transfer of data is critical for the functioning of our economy. The proper management and control of data is increasingly a matter of civil liberties. Roughly 70% of the UK’s trade in services is reliant on the free flow of personal data. The EU’s data economy is expected to be worth £643 billion by 2020 and millions of UK citizens share their lives online. To be able to operate, UK businesses require clarity on the legal basis for data transfer post Brexit.
As the Minister asserted, the Government’s future partnership paper presents the adequacy model as the basis for a future UK-EU agreement on exchanging and protecting personal data. As my hon. Friend Daniel Zeichner said, the alternatives—making use of binding corporate rules or standard contractual clauses—would be burdensome, costly and create considerable uncertainty for individuals and businesses. Given that a post-Brexit UK will find itself in a position of unprecedented alignment with existing EU laws and norms, it does appear that an adequacy agreement is the most sensible way forward. The UK—it is hoped—will be designated by the European Commission as providing adequate protection for personal data, and it will be business as usual.
As the House of Lords European Union Committee has made clear, however, even if the UK positioned itself in perfect alignment with EU rules as it exits, it is very likely that the EU will amend or reform its data law in the near future, thus threatening the UK’s adequacy status. Divergence between the EU and a post-Brexit UK may come sooner rather than later.
In 2009, the EU’s charter of fundamental rights became legally binding. The charter codified existing EU rights and principles and is now the source document for EU fundamental rights. Article 8 of the CFR covers the protections of personal data—the right to privacy and the right to data protection that serve as the foundation for the EU’s data protection law. The European Union’s general data protection regulation, which will apply in the UK from May 2018, creates and enhances data protections and rights for EU citizens in continuity with the principles of article 8 and the CFR more generally.
Much is made of the EU’s novel right to be forgotten, but the GDPR also speaks to the issue of algorithmic decision making and processes that significantly affect users every moment of the day for most of our citizens—the Minister is probably being affected right now, as he is on his phone. It also creates a right to explanation whereby individuals can ask for details on how decisions about them were made—for example, on access to credit. As such, the GDPR creates a requirement on those designing algorithms and evaluation frameworks to avoid prejudicial decision making and to enable easy explanations for users.
Those rights and norms are at the cutting edge of global data protections law and are essential for our tech industry in the UK. They are possible because the EU is developing its data protection laws in accordance with the principles expressed in the charter of fundamental rights. However, the Government have made it clear that the charter will not form part of domestic law on or after exit day. As such, significant divergence from EU data protection norms may begin sooner than expected, putting our tech industry in incredible jeopardy.
Once the UK has surrendered its place at the EU’s decision-making table, as is the Government’s intention, our ability to exert influence on the future of EU data law will be greatly diminished. Not only are we presented with yet another possibility of the UK being demoted from rule maker to rule taker, but the constant anxiety that the UK may fall out of compliance with EU data laws is deeply unhelpful to individuals and UK businesses of whatever magnitude. If compliance with the charter of fundamental rights is required in practice to secure regulatory harmony and thus business confidence, the Government’s commitment to jettisoning the charter appears increasingly odd.
Securing the free flow of data, especially for an economy such as ours that is largely service based, should be a pressing imperative for the Government. Ensuring that individuals are protected by rigorous data protection laws should be a top priority for the Government. I think it prudent therefore that the Government look again at their intention to bin the charter of fundamental rights as part of their EU withdrawal plans.
I declare my interest as set out in the Register of Members’ Financial Interests. I pay tribute to my hon. Friend Matt Western for the excellent curry in his constituency. As one of the few vegan MPs, I will happily visit and partake of the curried tofu if there is a vegan option; perhaps it will be better than that served in the Members’ Tea Room, grateful though I am for the option.
I was somewhat confused when I saw this debate on the Order Paper, not least because the Data Protection Bill is in the other place and scheduled to arrive here in due course, as the title was, “Exiting the European Union and Data Protection”. I therefore came with great hope—indeed, hope is the watchword of today—that the debate might be about some updates on how we will seek an agreement on adequacy with the European Union. Given that we are relying on hope and on some form of adequacy agreement—to proceed without an adequacy agreement would be, much like the rest of the Brexit policy, completely incoherent—I hope that the Minister will keep us posted on the progress that is being made towards an agreement, the timelines for doing so and the headway made in conversations about it.
We have a very short period in which to implement complicated and wide-ranging new laws. The Data Protection Bill, as we have heard today, incorporates not just GDPR issues for non-EU areas of competency, but matters of law enforcement and other things that have wide-ranging implications for our country and our laws. Those things must fit around the GDPR, which, as I said in my earlier intervention, will probably become law through a statutory instrument under the European Union (Withdrawal) Bill. I restate my ask of the Government that we should have the opportunity to debate that statutory instrument in substance in this House, not least because some of its important provisions require debate to guide businesses in my constituency and across the country on their application. An example concerns the right to human intervention when a decision has been made using profiling and automated processes—things such as algorithms. Many of my hon. Friends and other members of the Select Committee on Science and Technology will be looking at that issue, but some have grave concern about whether, when we bring in machine learning and changing algorithms, it is even possible to deliver the right to human intervention.
The Bill, which already covers many areas of law, is the start of a wider conversation that includes the network and information security directive and—to go to the important question of marketing, which my right hon. Friend Stephen Timms spoke about—the e-privacy regulation. How will those fit together? How will businesses, charities and other organisations, many of which do not have rooms full of lawyers and compliance specialists to help them to implement the law, know how everything fits together?
The Prime Minister and—dare I say?—her most ill-informed Brexiteer MPs seem happy with the idea of a no-deal hard Brexit. Many people can visualise lorries on the border, unable to export British goods to the continent. The same would be true for data. With a hard Brexit, there would be a standstill, and there would be blockages on the border for data. Much as with the goods in those trucks in Dover and in the port of Avonmouth in Bristol North West, that would be a disaster for business, consumers and importantly, as we have heard, for policing and the prevention of criminal activity.
The issues that the hon. Gentleman is setting out are crucial to the whole Brexit debate. Would he agree that one of the major inadequacies of the debate until the referendum was that such issues were not debated and that they were not well understood?
I agree with that sentiment. Dare I say it, but very few Government Members are present? Although my right hon. Friend the Member for East Ham said this may be an anorak issue, it is in fact crucial to our economy, our new civil liberties and the type of country we want to live in. We should be having such a debate, and I again restate our request that we should do so in this House not only on the Data Protection Bill, but on the GDPR statutory instrument.
I am looking forward to the Data Protection Bill and I am excited about the Committee stage, but I will take this opportunity to address some of the strategic issues that many Members have mentioned: first, the basis of data protection law in the European charter of fundamental rights, on which I will not revisit the arguments already made but will, I hope, add something interesting and new to the debate; secondly, the incoherence between the necessity to mirror EU law and the Government’s illogical policy approach on Brexit; and lastly, the rights and protections of children.
First, as we have heard in this debate, the Government have made it clear that the European charter of fundamental rights will be revoked under the European Union (Withdrawal) Bill. The Minister said that the GDPR in effect says the same thing, but article 8 of the charter, which underpins the GDPR, is referenced in article 45 of the GDPR. If the GDPR is referencing out to statutory, fundamental rights and we take that anchor away, we must replace it elsewhere. I will therefore support the amendment to the Bill proposed by my right hon. Friend the Member for East Ham, to ensure that that happens.
I am sorry to intervene, but I have already explained that because European jurisprudence is being brought into UK law, references to the charter in existing case law will be brought into UK law, which satisfies the hon. Gentleman’s demand.
With respect to the Minister, I am not persuaded that that will be agreed by the European Commission. Of course ECJ jurisprudence will be Supreme Court jurisprudence in this country and will be referenced by judges in that Court, but without a statutory anchor ensuring that the fundamental right is, in their view, in favour of the consumer and the data subject, we risk divergence on the application of the rules.
I want to mention the right of collective address. Under the GDPR, bodies can campaign and bring actions against data controllers in the interests of consumers and data subjects as a whole. This works very well in other areas of the law in this country, such as the Consumer Rights Act 2015. Under that Act, Which?, as a private enforcer of unfair terms, can act on behalf of consumers. For some reason, the Government have decided not to adopt such an approach in the Data Protection Bill. I look to the Minister in his closing remarks to explain why he does not think organisations should be able to bring actions for collective redress on behalf of data subjects. Many data subjects may not be able to enforce their own rights as individuals but rely on such organisations to act in their interests.
On fundamental rights more broadly, I am still confused. I hope that the Minister will provide clarification in this final debate of the week by showing how, although we must maintain fundamental rights, we are also removing them. It is much like being in the single market and leaving it, much like being in Europe but not being in Europe, and much like protecting fundamental rights and not protecting them. What is the answer? The Data Protection Bill seeks to ensure transparency and accountability, and in the light of that theme, I hope the Minister will respond on fundamental rights.
Secondly, if we are successful in seeking an adequacy agreement, it is then for us to maintain equivalence as part of that developing area of EU law, as other Members have said. That will require the UK to adopt the decisions of the newly created European Data Protection Board, which is subject to the jurisprudence of the European Court of Justice. Yet the Government insist that we can be both in and out, which is ludicrous, as I have said. They also say that we can be in it without being subject to the rules, but we know that that is a fallacy. Will the Minister confirm whether the Government’s policy is to get an adequacy agreement either this year or next year, only for it to be revoked in a few years’ time because we do not want to be subject to the jurisdiction of the ECJ? We must be subject to its jurisdiction if we are to maintain adequacy, but we will be forever on the cliff edge of being concerned that adequacy will be removed—as it was from the United States of America by the European Commission—and that is the risk our businesses, our consumers, our charities and others fear.
Lastly, I wish to address the rights and protections of children. I will return to this topic in detail on Second Reading. It is a great disappointment that the European Union has backtracked and pulled back slightly on this issue, so that instead of having a harmonised rule saying that children deserve extra protections—especially in the context of understanding how their use of online products and services means giving over personal data, how that personal data is profiled and how advertising is targeted on children—the European Union decided to provide members states with a range of ages to choose from, from 13 to 16.
As my hon. Friend Kevin Brennan said, the UK opted for the age of 13 as the minimum GDPR requirement. I think that is the wrong decision and, according to polls by YouGov, 80% of parents agree with me. However, I encourage us to be intelligent about the way we regulate to support children. It is obvious that if we put in these frameworks children may find ways to use the systems anyway. No doubt there are a number of children under the age of 12 and 13 using social media sites today. We must make sure that the regulation is—dare I say?—with the kids. It needs to make sense and it needs to work properly. I look forward to having that debate and no doubt a shared aim.
As we prepare for the arrival of the Data Protection Bill, this is the first glimpse of a major piece of proposed legislation that highlights the enormous challenges with implementing Brexit. It is not just an issue of primary law for many of the issues we have talked about today; it is about clear rules and about compliance by those subjected to it. On clear rules, I refer to comments made by the Baroness Lane-Fox on Second Reading in the other place, when she pulled out a particularly entertaining section the Data Protection Bill, which reads:
“Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR… In this Chapter, ‘the applied Chapter 2’ means Chapter 2 of this Part as applied by this Chapter”.
Other than that sounding like something out of the “Yes Minister” comedy series, it says to me, as a former lawyer, expense. People will be concerned—quite frankly, charities and other groups will be terrified—about getting this wrong. They will have to endure huge compliance costs in trying to implement what should be clear rules into their business.
Following on from what Vicky Ford said—she is not in her place—on compliance and guidance from the ICO, I stress this point with the Minister: many businesses want to do the right thing. They wait on guidance from the ICO and others to tell them what the law means and how they will seek to enforce that law. However, much guidance has either been delayed or is not yet with us. The guidance that has been provided is not, in many cases, sufficiently clear either. We must support the ICO properly to ensure it can provide that service, and we must make sure that people know how to comply with the law.
The UK is, as we have heard, one of the world’s leading digital economies. Bristol is one of the largest digital economies outside of London, and we lead the way on these issues in the world. We have the opportunity to set the tone in becoming a global hub for the world’s digital economy based not only on trust, accountability and security, but on business innovation and leadership. I look forward to helping the Government in this House to get that right.
I congratulate Matt Western on his excellent maiden speech. What an honour it must be to represent such a happy, diverse and, may I say, sensible community. No deal, no way. I completely agree. His constituents seem to be much more clear-sighted than some Members on the Government Benches. May I remind the Government to start taking the Brexit negotiations seriously? May I also remind the Government that the British people deserve the right to have their personal data protected, both here in the UK and cross-border? As we have heard today, there are many complications post Brexit.
The cross-border general data protection regulation will be brought in by the EU and be applicable here in the UK in May 2018, but there is no clarity on how data protection will be regulated in post-Brexit Britain. That is entirely a matter for the phase two negotiations and we have not even started them. Business needs clarity. Data protection regulation is a vital issue for the technology sector. This will affect the sector in every way, whether it is for individuals buying something online or logging on to Facebook, or for large companies operating internationally. As we have also heard today, the tech sector is one of the UK’s success stories. It provides 10% of our GDP, 24% of our exports and over 3 million jobs.
Data protection is central not just to the tech sector but to our whole economy. Any business of any size needs to be able to transfer data across borders safely. If we leave without a deal on data protection, British businesses will not be able to operate internationally. So much for the Government’s vision of a global Britain! We have already seen how Brexit is beginning to damage the economy. The uncertainty facing the tech sector is just another example of how serious a no-deal scenario would be for the whole economy. Conservative Members cannot claim to be the party of business if they can seriously say that no deal is better than a bad deal—no deal is the very worst deal possible.
The Government say they will negotiate an adequacy agreement or even an enhanced agreement, but as we see time and again, what they say they will get and what they actually achieve are often very different things. While the EU general data protection regulations will come into effect in 2018—before we leave—the European Commission will still have to agree that the UK is providing adequate data protection after we leave. A few years ago, however, the European Court of Justice deemed aspects of the UK’s Data Retention and Investigatory Powers Act 2014 as illegal. Ironically, the case was brought to the ECJ by the right hon. Member who is now the Secretary of State for Exiting the European Union.
That demonstrates that the UK has a history of failing to comply with EU data protection laws. Once outside the EU, the Commission will regularly review whether it thinks UK data protection regulations are acceptable. We will have to agree with its regulations, which are under ECJ oversight, but without having a say over them. That will be the reality post Brexit, and it is important that we all come to terms with it. Frankly, I doubt whether the Government in the Brexit negotiations will even get to the issue being discussed today. This week has been full of talk of no deal. The clock is ticking, and as we heard today, the negotiations in Brussels are deadlocked. It is for the Government to unlock that deadlock. The Prime Minister has the cheek to say the ball is in the EU’s court. I say that the Government have failed even to pick up the racket, let alone hit the ball over the net.
I congratulate Matt Western on an incredible speech. It is always a pleasure to listen to Members’ maiden speeches, and I enjoyed his as well. I am not sure I will go to Leamington Spa for my holidays, but none the less I was greatly intrigued by his presentation.
It is hard to pick up a newspaper, listen to the radio or follow the news today without hearing about Brexit and its impact on the UK. Normally when there is good news, it is presented as being in spite of Brexit. That kind of rhetoric is not helpful. The fact is that a majority of 17.4 million people, of whom I was one, voted to leave the EU. A majority of my constituents voted to leave as well. We are now upholding that decision, as is only right in a democratic society. Of course, it is right and proper, as we are doing today, to discuss the implications and solutions surrounding the decision and to recognise the opportunities that Brexit can bring for the people of the United Kingdom of Great Britain and Northern Ireland.
In July, the House of Lords European Union Select Committee examined the impact that Brexit would have on data protection in the UK. At the time, the conclusion was that there was a lack of detail about how the Government would maintain the flow of data post Brexit, as others have said. Under the EU’s data protection framework, a country outside the EU and EEA is classed as a third country, and personal data can be transferred to a third country only where adequate protection is guaranteed. Since the Lords Select Committee published its findings, the Prime Minister has announced a transitional period after the UK leaves the EU in March 2019, meaning that we can safely secure an adequacy decision from the European Commission. Since the Government have continually stressed their desire to secure the unhindered flow of data between the UK and the EU post Brexit, that seems a very desirable solution. I believe it is one that everyone in this House—everyone who has participated in this debate and those who have not—would want to see.
Regardless of Brexit, it is important to remember that we are already experiencing a change in our data protection laws. The Queen’s Speech included plans to secure a data protection framework that is suitable for a new digital age. Unsurprisingly, the way in which data is used and processed has changed significantly since 1995. The purpose of the new Bill will be to implement the general data protection regulation. Research shows that some 80% of people feel that they do not have complete control over their data online. The Information Commissioner’s Office, the data protection regulator, will also be given more power to defend consumer interests and issue higher fines. Implementing the GDPR, which the UK is due to do on
There is a lot of doom and gloom among some sections in this House and also outside, but it is important to remember how successful the UK is, particularly in data protection—something that I am confident will improve even further with the new Data Protection Bill, as I am sure the Minister will confirm in his summing up. The UK is one of the leading drivers of high data protection standards across the globe. Data flows are important for both the UK and EU economies and for wider co-operation, including in law enforcement. I think we can all agree that it is vital for keeping our countries safe, which is a critical factor.
In 2015, the EU data economy was estimated to be worth €272 billion, which is around 2% of EU GDP. Estimates suggest that its value could rise to €643 billion by 2020, or more than 3% of GDP, although this is subject to legal and policy frameworks being put in place. Estimates suggest that around 43% of all EU digital companies are started in the UK and that 75% of the UK’s cross-border data flows are with EU countries. Analysis indicates that the UK has the largest internet economy as a percentage of GDP of all the G20 countries and has an economy dominated by service sectors, in which data and data flows are increasingly vital. The UK accounted for 11.5% of global cross-border data flows in 2015, compared with 3.9% of global GDP, but the value of data flows to the wider economy is even greater. Surely these statistics are evidence of the need to continue and secure the flow of data between both the EU and the UK.
The GDPR has a number of provisions, including the transfer of personal data to third countries and international organisations. To that end, it puts the Commission in charge of assessing the level of protection given by a territory or processing sector in a third country. Achieving an adequacy decision from the European Commission, while completely possible, is not guaranteed —other Members have also put questions about that. For example, Canada has been approved for only certain types of personal data. If for whatever reason the UK’s laws are not considered to meet the adequacy standard, businesses in the UK would be subject to the same restrictions that currently apply to data transfers from the EU to the US. Surely early certainty about how we can extend the current provisions, alongside an agreed negotiating timeline for longer-term arrangements, will give businesses on both sides certainty for the future. I understand that everyone wants to secure an agreement on data sharing with the European Union as quickly as possible, but will the Minister clarify the Government’s position on what will happen if we do not achieve approval from the Commission?
I want to conclude with some remarks about Northern Ireland, because it is important to get this on the record. We are all aware in this House of the special case that those of us in Northern Ireland find ourselves in. We are the only part of the United Kingdom that will share a land border with an EU member state. As with many other things, specific thought will need to be given to the impact of data protection matters not only in Northern Ireland, but across the whole of the United Kingdom. For example, if for whatever reason we are unable to secure an agreement or an adequacy decision, any Irish company with a UK base will find itself in a difficult position, which could have implications for us in Northern Ireland.
Earlier this year, KPMG considered this issue and found that where an Irish company has a UK-based operation and holds, for example, payroll data about Irish or other EU nationals in that UK base, it may need to start considering whether it relocates that base to another EU state. Alternatively, the company may instead have to adopt standards compatible with the new EU rules, such as binding corporate rules. Otherwise, unless and until the UK receives Commission approval, or some form of bilateral agreement is reached, any transfers of payroll data from Ireland to the UK post Brexit will fall foul of the GDPR. It is also worth noting that any company that is found to have transferred payroll data in breach of the GDPR may be subject to a fine amounting to 4% of its global turnover, or €20 million. If a company had offices in Dublin and Belfast or Dublin and London, for example, that could—or would—present a significant problem.
When it comes to our joint security, sharing personal data is essential for our wider co-operation in the fight against serious crime and terrorism. Between October 2014 and September 2015, the UK Financial Intelligence Unit received 1,566 requests from international partners for financial intelligence, at least 800 of which came from EU member states. The UK is instrumental in contributing high-quality information, analysis and expertise in areas such as passenger data and financial intelligence. It also gains considerable benefit from the information provided by other member states in bringing criminals to justice within its own borders.
Data-sharing is a vital part of our counter-terrorism strategies. The Europol website recognises the importance of working not only with the EU but with its international partners. It points out that
“organised crime does not stop at international borders…it is also essential to have cooperation initiatives with… non-EU States and international organisations”.
That makes clear the shared understanding that keeping our countries safe is widely accepted as being non-negotiable, both within Europe and internationally.
Often, when we consider threats of terrorism, we look at the physical attacks, but while that cannot and must never be overlooked, we must also consider the way in which the use of data is changing. It is changing continually; it is changing as we sit here. As it becomes more sophisticated, the number of cyber-threats from state and non-state actors increase, and those threats do not respect borders. Earlier this year, the WannaCry ransomware infections caused thousands of simultaneous cyber-attacks to be recorded across the globe, affecting more than 100 countries in a co-ordinated breach of IT systems in both private and public sector bodies. As technologies evolve and cyber-threats grow, it is vital that law enforcement keeps pace and develops capabilities to stay ahead of attackers whom we must work together with our European and international partners to defeat.
As has already been mentioned, the increasingly international, borderless nature of criminal activity makes the swift and efficient availability of data essential to modern law enforcement. The ability of law enforcement agencies to conduct point-to-point data exchange is critical to developing lines of inquiry, identifying suspects, and taking appropriate action.
I will end my speech now, because I have been told by the Whips to conform to a certain time. I appreciate that I have covered a number of topics—as have all the other speakers—but I think we can all agree on the importance of securing an agreement with the European Union so that we can continue to share data in the same way as we do now. That will ensure that businesses in the UK, and those from EU states with UK bases, can operate as they have done previously. It will also enable our countries to continue to co-operate in vitally important areas, sharing data and information in the fight against terrorism and criminality.
I look forward to hearing the Minister’s comments. As a Brexiteer, I am sure that we are moving forward in a constructive and positive way.
With the leave of the House, Madam Deputy Speaker.
This has been a very interesting debate. It has, in a sense, been the First Reading of a Bill, which is an innovation on the Government’s part. Although the Bill is currently in the House of Lords, I suspect that there may be a degree of repetition when it eventually comes here for its Second Reading. However, I am sure that the Minister’s Second Reading speech will be completely original, and will not contain any of the information that he has given us this afternoon.
The debate has also been very well informed, and we have heard from Members on both sides of the House. Robert Neill drew attention to the importance of tech companies in London, and also to the importance of bespoke arrangements for when Britain leaves the European Union. The Scottish National party’s Front Bench spokesman, Brendan O’Hara, expressed many of the views that I think we share, and I am sure that they will be developed on Second Reading and in Committee. Stephen Kerr, who is no longer in the Chamber, spoke about the accountability and ethics involved in data use, and said that he was a champion of free trade. I was not entirely sure that I grasped how his point about adequacy fitted in with what the Minister had said about something “akin to” adequacy, but he gave his own explanation nevertheless. My right hon. Friend Stephen Timms was, as usual, erudite and informed, but never anorakish, in his contribution, and made some extremely important points [Interruption.] The Minister is shouting “Rubbish”; I know he is not doing so about the content of my right hon. Friend’s speech, because my right hon. Friend made some extremely important points about the EU charter of fundamental rights and clarity on the adequacy agreement. I know the Minister was listening carefully, because he intervened on my right hon. Friend, but I hope he reflects on what my right hon. Friend said before the Bill comes to us on Second Reading.
We then had the immense pleasure of a maiden speech from my hon. Friend Matt Western, which is indeed a very beautiful and happy place. My daughter recently spent three years in Leamington Spa while a student at Warwick University—and was a member of the Leamingtones singing group—and I can confirm that it is a very happy place. My hon. Friend rightly paid tribute to his predecessor. I hope his predecessor does not mind my saying—this is not meant in a mean-spirited way—that I was quite pleased when he lost his seat, because for some reason people thought he and I looked alike. That was perhaps something to do with our stature or our glasses, and from time to time we were mistaken for each other. I wish him well outside the House and look forward to people no longer saying to me “You must have a double” every time I was mistaken for him around this place. My hon. Friend rightly paid gracious tribute to his predecessor, and his maiden speech was very witty and erudite, as well as serious. We wish him a long and successful career in this House, and I am sure he will make a great contribution.
Vicky Ford made her contribution, and then my hon. Friend Daniel Zeichner made a very thorough speech. He told us of his chairmanship of the all-party group on data analytics. We should thank it for the briefing it supplied ahead of this debate, which was very useful, and should also mention other briefings that were supplied but not referred to during the debate, such as that from the Association of British Insurers, many of whose points have come out in general debate in any case.
Showing the talent on the Labour Benches, we also had excellent contributions from my hon. Friends the Members for Leeds North West (Alex Sobel) and for Bristol North West (Darren Jones), and I hope they will serve on the Bill Committee, as they could both bring great forensic analysis to the scrutiny of the Minister, who I know, having debated with him before, welcomes that immensely from the Opposition in Committee. I am sorry that my hon. Friend the Member for Bristol North West outed himself as a lawyer in this area, as I was hoping that we might spring him as a surprise on the Minister, but now I know he will be going away and doing research on my hon. Friend. We also had a contribution from Wera Hobhouse, who pointed out the importance of a good Brexit deal and the damage that uncertainty is causing to business.
Finally, we heard from Jim Shannon, a very popular Member of this House, who was still able to make a very good speech in spite of Brexit. As ever, he was fluent and assiduous in his contribution, and he pointed out the special position of Northern Ireland, having a land border with the EU post-Brexit, which we must never forget is a key issue.
I will not repeat the points I made in my speech, but I remind the Minister that I asked him to explain, and hope he is able to, the thinking behind the Government’s derogation on the minimum age for a child consenting in respect of the processing of their personal data at 13 years rather than 16 years. If he can rehearse that for the House at this point, it will perhaps be helpful when we consider it further down the line when the Bill comes before us, as it will if he also responds to the key points made in the debate by me and other Members in relation to adequacy, security and so on. We look forward to hearing the Minister’s response to the debate.
With the leave of the House, Madam Deputy Speaker, I shall reply for the Government to this excellent debate. I shall try to answer the points raised, unconventional as that might seem.
The subject of the debate could not be more important. The digital revolution is one of the biggest things happening to this country and the world. Indeed, I think the digital revolution as a whole is bigger than Brexit. Stephen Timms thought this would be an anorak-like debate, but hoped it would not. Well, I think we could liken the debate to an anorak because in some circumstances anoraks are incredibly important. The debate may have been detailed and technical in parts, but it is vital to get these things right for our country’s future.
As others have said, what a pleasure it was to hear the fine maiden speech by Matt Western. He even introduced a word that I had never heard—camoufleurs. What a description! He spoke well of his new constituency, especially the design industry, and the gaming industry that is so important there. He spoke of history and the future. As the Minister for the gaming industry and for VR and AR, I am thrilled to hear that he will continue to champion them; I look forward to engaging with him often.
I was delighted to hear that Leamington is the happiest place to live. Funnily enough, I thought that was Suffolk. I give the hon. Gentleman a gentle warning about hostages to fortune: he very gently and elegantly took the credit for Leamington’s being the happiest place in the country, so now we all know where to look if it all goes wrong.
I almost called the Labour Front-Bench spokesman, Kevin Brennan, my hon. Friend because we have spent so much time together in Committee in the past. I look forward to doing so again in future. I was surprised to learn two new things about him. I am astonished that he has university-age children; he looks as though he has barely left university himself. And he says he is delighted that the former Member for Warwick and Leamington, Chris White, is no longer in the House because he is a double. He can imagine how I felt when Mike Hancock was defeated!
The hon. Member for Cardiff West asked some serious and important questions. First, he raised the question of parental consent at the age of 13. There is flexibility in the GDPR legislation to set the age of parental consent at any age between 13 and 16. In the UK that age is effectively 12 at the moment—although it is not set in the same way—which means that we are raising the age. We of course recognise the fundamental role that the internet plays in the lives of teenagers, and we agree that it is vital to educate children, not only on the positives of the internet—coding has been in the curriculum for three or four years—but on the risks. The internet safety strategy published yesterday stated that we will do more to educate children about safety, but online platforms also give children educational and social resource, and the rules need to be realistic if they are to work. We do not want to introduce an unworkable rule.
This is a balanced judgment, but I believe we were right when we chose the age of 13. It was suggested that we did so because the Irish Government decided on 13, but the point about GDPR is that what matters is whose data it is, so it is not a question of the dataset in which the data is stored; it is a question of how old the child is.
The hon. Member for Cardiff West, and several other hon. Members, asked about the adequacy of our national security legislation. We are already compliant with EU law on data protection, with the Intellectual Property (Unjustified Threats) Bill, and we will be after exit. We are confident that that legislation should not present a significant obstacle to negotiations, not least because we have one of the most robust oversight frameworks in the world, and we brought in judicial oversight as part of the move from the Data Retention and Investigatory Powers Act 2014 to the Investigatory Powers Act 2016.
We heard an excellent speech from my hon. Friend Robert Neill, who argued that how data rules relate to finance is a huge issue to be tackled. He is absolutely right, and we do have regular discussions with the financial sector. None of us should forget his point that it is in the interests of both the UK and the EU to get things right. We will help to ensure that Gibraltar has market access to the UK, which my hon. Friend cares about. That may require a degree of regulatory equivalence, and he knows that those discussions are ongoing. Our intention to maintain the data relationship for law enforcement purposes is clear, which is why we are putting the law enforcement directive into UK law as part of the Data Protection Bill. We want to continue to have a strong partnership with the EU. There is no legal barrier to the EU establishing an international agreement giving third countries access to SIS II and the European Criminal Records Information System. We are exploring a full range of options, but much of the detail will obviously be down to the negotiations.
I am delighted that the Scottish National Party supports our approach, and I am grateful for the support of both the Scottish Government and the SNP Members here. When Brendan O’Hara said that what I had said previously was absolutely right, I started to worry a little—we do not usually hear that from the SNP Benches—but he then asked specifically about a no-deal scenario. In the annex to the paper we published in the summer, we outlined other ways to ensure the flow of data, and we do consider all options. There are alternative means of legal transfer of data, but we fully expect a good deal. Jim Shannon made the same point, but he stressed that this is about not just the future EU-UK relationship, but the UK’s relationships all around the world and our ability to get strong trading relationships underpinned by data that is protected with good cyber-security.
My hon. Friend Stephen Kerr argued powerfully that data protection must be based on trust—my hon. Friend Vicky Ford made a similar point—and mentioned the advantage of future flexibility in a position in which Britain can lead across the world. He mentioned our history on that topic and the computer Manchester 1, which my mother worked on, and Stirling’s growing digital economy. He asked us to raise our eyes to the horizon and ensure that we get this right across the world.
Like Daniel Zeichner, my hon. Friend the Member for Stirling asked about the EU-US privacy shield and post-Brexit data flows. We of course want to maintain the current protections for UK citizens under the privacy shield after exit. We want to ensure that data flows between the UK and third countries with EU adequacy decisions, like the US, can continue on the same basis. That is part and parcel of what we are trying to achieve.
The hon. Member for Cambridge also asked about dialogue with the EU on the future partnerships paper, and that is ongoing. For example, the Secretary of State for Justice is at the Justice and Home Affairs Council this week and will be speaking about that paper, setting out in particular the argument that we are approaching Brexit from a point of harmonisation. Keeping the Data Protection Bill harmonised with the GDPR will be critical as we take the Bill through both Houses, and I am glad for the Opposition’s support in maintaining that position.
The right hon. Member for East Ham made a characteristically excellent speech. I hope he is not on the Bill Committee, and I mean that as a compliment. However, he was wrong about the loss of influence, and my hon. Friend the Member for Chelmsford, who was in the European Parliament at the time, pointed out just how influential both Labour and Conservative British MEPs were in ensuring that we got a good piece of GDPR legislation.
I want to make it absolutely clear that our goal is an agreement that builds on the existing model of adequacy. We are seeking an arrangement at least as strong as adequacy—stronger, in fact. There was a bit of debate about whether how I put things in my opening speech implied that we were moving off adequacy. We are not. I say again that we are seeking an arrangement at least as strong as adequacy—stronger, in fact—as part of the negotiation.
Does the Minister recognise that the absence of article 8 will make his goal harder to achieve? He said that we can look elsewhere in the body of European law, and it is all terribly vague and badly defined. The problem is that that will not convince the Commission—and it is the Commission that he has to convince about adequacy.
I think the right hon. Gentleman is wrong on this point, which no doubt we will debate during the passage of the Bill. We know of no other jurisdiction with an adequacy deal that has been required to put the charter into law. Such a requirement has not been imposed anywhere else, so there is no reason for it in this case. The charter is a summary of laws present elsewhere and we are bringing the jurisprudence into UK law. Our goals are the same; in a sense, the question is a legal one. The fact that such a requirement has not existed in any other adequacy arrangements implies that the issue should not be problem for us, not least because of our strong legal basis for bringing GDPR into UK law.
On mail and direct marketing by post, I should like to correct the right hon. Gentleman slightly. Data controllers will need a legal basis for this under GDPR, but article 6 sets out a number of potential legal bases, not only consent. That does not change the reality on the ground from the current data protection arrangements. I hope that I have provided adequate reassurance.
The right hon. Gentleman and Alex Sobel raised article 8, as did others. I am clear about the strength of the assurance that I have given and I hope that Opposition Members accept it. When private businesses consider their future arrangements, I hope that Members on both sides will make clear our determination to get a deal that is as good as adequacy, if not better. We want people to continue to do business and thrive here in the UK.
My hon. Friend the Member for Chelmsford, whom I have mentioned a couple of times, made a powerful and informed speech. Of course we think that the passenger data transfer is important; the referendum does not change how important it is. The EU already has third country arrangements in place with others, so we see no reason why the issue cannot be fixed. I am also sure that Chelmsford is a happy place to live; I wonder whether that is down to my hon. Friend or her ebullient predecessor.
I also agree with my hon. Friend that we must be vigilant and not gold-plate the Data Protection Bill through Information Commissioner’s Office guidance. No doubt we will discuss that during the passage of the Bill. I have regular conversations with the ICO about exactly that issue. We want guidance to come out early. In some cases, the ICO is having to wait for guidance from the Commission and that causes the delay—it is not the fault of the Information Commissioner. But we do want guidance to be in clear, simple language, not gold-plated, and to come out as early as is reasonably practicable. I thank the Information Commissioner and all her team for her excellent work.
The Minister says that the guidance should come out early, but it is already too late in respect of direct applicability of the general data protection regulation for many businesses, which may need to carry out major systems changes if guidance says something that they are not expecting based on interpretation of the article. Will he say to the ICO that, where guidance is late and that makes it harder for organisations to make those changes, there will be some leeway when it comes to enforcement?
The hon. Gentleman speaks like a true lawyer. The hon. Member for Cardiff West said that the hon. Gentleman had been outed as a lawyer during this debate—my goodness, he outs himself as a lawyer from the first moment he strikes his posture in this Chamber. He is obviously a lawyer and that latest point only proves it further. The ICO has already said that and it is well worth reading the Information Commissioner’s Cambridge speech from a couple of months ago, which set out that reassurance. The hon. Gentleman asked about timing and complained about there not being an agreement already. We want to get on and discuss the future relationship, and the Government have made that clear; it is the European side that is blocking progressing on to the future relationship. I hope that we can get on and discuss it forthwith.
As I have said, we have been in Brussels and heard time and again from different sides that it is up to the UK Government to break that deadlock. There are two issues where they are free to break it; this is particularly the case on the money issue, but Government Members do not want to face that, because even a penny to pay in compensation or in the divorce bill will not be good enough. That is why we are in deadlock and we cannot move on.
The hon. Lady is wrong about that. She is also wrong to have said that there is no certainty about the future UK data protection arrangements, because there is and we are putting it into law: it will be the GDPR, plus the Data Protection Bill, which is before the other House. Although she was completely wrong, I am grateful for her intervention.
This has been a very productive debate and I am grateful for the largely very well-informed and detailed discussion, all of which has been good natured. I look forward to continuing this over the months ahead. There is a shared mission in this House to have a high-quality data agreement with the European Union to make sure we have high-quality data protection and the free flow of data. I hope I have given assurances about the actions we are taking to deliver that and to support the digital economy, through Brexit and beyond.
Question put and agreed to.
That this House
has considered Exiting the European Union and Data Protection.