My Lords, it is always a pleasure to follow the noble Lord, Lord McNally. It is always a good thing when one optimist follows another. As chairman of the EU Home Affairs Sub-Committee, I will speak mainly about the EU Committee’s report on the EU data protection package, which we are debating alongside the Second Reading of the Data Protection Bill.
I understand that it is unusual procedure to debate a committee report alongside a Bill but I believe that it makes sense on this occasion. As the noble Lord, Lord Stevenson, said, the committee meets shortly—indeed, tomorrow—and I am sure it will consider his proposal, but taking into account how that would fit in with the traditional role of the committee and the programme we already have before us, I am sure the noble Lord will forgive me if I do not go further than that at this stage. We have not yet received a response to our report from the Government, which we await with keen anticipation, but we are pleased that this Second Reading debate has given us an opportunity to bring the EU Committee’s findings to the attention of the House.
In their recent Brexit position paper, The Exchange and Protection of Personal Data—A Future Partnership Paper, the Government said that they wanted to maintain free and uninterrupted data flows with the EU after we leave; and in proposing a new security and criminal justice treaty between the UK and the EU in her recent Florence speech, the Prime Minister laid out her ambition for a model underpinned by, among other things, high standards of data protection. Our report supports this objective: free and uninterrupted data flows matter to us all. But the committee was struck by the absence of clear and concrete proposals for how the Government plan to deliver that objective. The stakes are high, not least because the introduction of greater friction in data transfers could present a real barrier to future trade. It is hard to overstate the importance of cross-border data flows to the UK economy. Getting on for half of all large EU digital companies are based in the UK, and three-quarters of the UK’s cross-border data flows are with EU countries. What is more, any impediments to data flows following our withdrawal from the EU could seriously hinder police and security co-operation, and that means that lives, not just money, are at stake.
In our report, we considered four elements of the EU’s data protection package: the general data protection regulation—the GDPR—which the Data Protection Bill seeks to transpose into UK law; the police and criminal justice directive; the EU-US privacy shield, and the EU-US umbrella agreement. Both the regulation and the directive will enter into force in May 2018, while we are still a member of the EU. The agreements with the US are already in force, but will cease to apply to the UK after our withdrawal. Our report considers the Government’s policy options both short and long term.
The committee wanted first to look at possible data protection arrangements once the UK becomes a third country outside the EU, and we heard evidence on two broad options. The first option is for the UK Government to secure a so-called adequacy decision from the European Commission which would certify that the UK offered a standard of protection that was “essentially equivalent” to EU data protection standards. To date, the Commission has adopted 12 such decisions. The second option would be for individual data controllers and processors to adopt their own safeguards using tools such as standard contractual clauses and binding corporate rules. Our report comes to a clear conclusion that this second option would be less effective. The tools available to individual data controllers, including small businesses, are bureaucratic and would be vulnerable to legal challenges. We therefore agree with the Information Commissioner that the Government should seek an adequacy decision for the UK as a whole. This should offer certainty for businesses, particularly SMEs. It would also follow the approach taken by Switzerland, which has secured an adequacy decision from the EU. I am therefore pleased that the Government’s position paper also calls for a future relationship that builds on the adequacy model.
But there is a fly in this particular ointment. The general data protection regulation only provides for adequacy decisions for third countries, not countries leaving the EU. Decisions also follow a lengthy procedure, so the chances of having an adequacy decision in place by March 2019 are small. So to avoid a cliff edge, we will need transitional arrangements. The Government’s position paper acknowledges this but lacks detail. I hope that in responding to this debate the Minister will update us on the Government’s thinking on transition and perhaps provide some more of that detail. In particular, I hope that as a Home Office Minister she can comment on the risks facing law enforcement. One of the most striking findings in our inquiry was that as a third country the UK could find itself held to higher standards of data protection than as a member state. This will be the case both when the European Commission considers an adequacy decision and when the UK’s data retention and surveillance regime is tested before the Court of Justice, at which point we will no longer be able to rely on the national security exemption enjoyed by member states under the EU treaties. The United States has fallen foul of EU data protection law in the past, and it is not impossible that the United Kingdom will do the same when it is no longer a member state.
On a related theme, the committee also considered whether the UK’s data protection regime would continue to be influenced by EU legislation after withdrawal. What we found was that the general data protection regulation will continue to apply to transfers of personal data from the EU to the UK, significantly affecting UK businesses that handle EU data. If we obtain an adequacy decision, the rulings of the new European Data Protection Board and the Court of Justice will have an effect, albeit indirectly, by altering the standards that the UK will need to maintain an adequate level of protection. This means that there will be no clean break. We will also continue to be affected by EU rules on the onward transfer of personal data to third countries. This could be a particular problem in the field of security, whereby our approach to sharing personal data with, say, the United States could put any adequacy decision at risk. In summary, it seems likely that EU and UK data protection practices will need to remain alive long after we leave the EU.
The Bill that we are debating today reflects a comprehensive EU data protection regime which has been heavily influenced over the years by the United Kingdom. Withdrawal from the EU means that we stand to lose the institutional platform from which we have exercised that influence. The committee’s report therefore concludes that the Government must aim to retain the UK’s influence wherever possible, starting by securing a continuing role for the Information Commissioner’s Office on the European Data Protection Board. I am glad that the Government’s data protection position paper spells out our aim to do just that, but in the longer term, the Government will also need to find a way to work in partnership with the EU to influence the development of data protection standards at both the EU and the global level. The continued success of our commercial and security relations with the EU will depend on that.