My Lords, today we are concerned with the protection of personal data once the UK has withdrawn from the EU, when EU law will cease to apply in the UK.
Noble Lords will recall from debates last year on the Data Protection Bill that much of our current data protection framework derives from EU measures. When the UK leaves the EU, the GDPR will be retained in domestic law through the European Union (Withdrawal) Act 2018. That Act also permits fixes to be made so that the retained version of the UK GDPR continues to be operable in a domestic context. That is what the regulations before the House today are designed to do.
Before we look at the changes in more detail, it is important to make clear the general approach. The purpose of this exercise is to correct deficiencies arising from our departure from the EU. As such, these regulations do not significantly affect UK businesses or erode people’s data protection rights. We are looking to maintain continuity. This approach will put the UK in the best possible position to receive a positive adequacy decision from the EU.
Many of the amendments made to the GDPR by these regulations simply replace European Union-related terminology with UK equivalents. For example, there are many references in the GDPR to “member states” or “member state law”. These references have typically been amended by these regulations to refer to “the UK” and “domestic law” respectively, or removed altogether. For greater clarity post exit, the retained version of the GDPR as amended by these regulations will be known as the UK GDPR.
However, simply replacing European terminology with UK equivalents does not address all the deficiencies that arise as a result of our exit from the EU. The Government have given careful thought to how the UK GDPR and the Data Protection Act 2018 should approach these remaining deficiencies. I shall address a number of these important issues in more detail.
The GDPR and Part 3 of the Data Protection Act 2018, which implemented the law enforcement directive, restrict the transfer of personal data to third countries unless certain safeguards are met. One of those safeguards is where the third country concerned, or a sector within the country, has been deemed “adequate” by the EU Commission. Once an adequacy decision has been granted, data can flow freely to that country or sector. In the absence of an adequacy decision, data can still be transferred to third countries, but the onus is on controllers to make sure that alternative safeguards, such as standard contractual clauses or binding corporate rules, are in place to ensure that the data is protected.
It would not be appropriate for the EU Commission to make adequacy decisions on behalf of the UK. Therefore, these regulations transfer the function of making adequacy decisions under article 45 of the GDPR and article 36 of the Law Enforcement Directive to the Secretary of State. Parliament will have the opportunity to scrutinise these decisions, including the opportunity to stop them from continuing to have effect. Similarly, the function of preparing standard contractual clauses is also transferred from the European Commission to the Secretary of State. The Information Commissioner will also continue to exercise this function, but will no longer be subject to EU Commission oversight.
To minimise any disruption to established general data flows from the UK to the EEA on the day of exit, a number of transitional provisions are made by these regulations. They include a provision to continue to treat EU member states, other EEA countries and Gibraltar as adequate in relation to general data processing under the UK GDPR. These provisions will be kept under review. Without such a provision, many UK businesses which are transferring personal data to businesses in the EEA on a regular basis would be forced to explore alternative mechanisms to ensure that transfers from the UK to the EEA continued to be lawful. For the purposes of adequacy assessments under the Law Enforcement Directive and Part 3 of the Data Protection Act 2018, EU member states and Gibraltar will, as a further transitional measure, automatically be deemed adequate to preserve the flow of critical law enforcement data from the UK to the EU and Gibraltar.
Although this is not strictly relevant to the purpose of this SI because it is an EU Commission matter, I should say that while the measures I have outlined should protect established data flows from the UK to the EU, the European Commission may not put reciprocal arrangements in place prior to our departure from the EU in a no-deal situation. The Government will continue to encourage the EU Commission to begin its adequacy assessment of the UK as soon as possible.
Many UK businesses will be accustomed to transferring personal data freely to countries that have already been deemed adequate in whole or in part by the EU Commission. The regulation also makes transitional provision for those decisions that were in place at the time this SI was laid in Parliament to continue to have effect as if they had been made by the Secretary of State. These arrangements will be kept under review. This includes the EU’s decision in relation to companies participating in the Privacy Shield scheme in the United States. To reflect specific arrangements put in place by the US to ensure the continued application of Privacy Shield and its protections for UK data transfers, further regulations will very shortly be brought forward to clarify that personal data can be transferred to US companies only when they have updated their Privacy Shield commitment to include the UK. Where UK organisations are relying on standard contractual clauses approved by the EU Commission as an adequate safeguard for transfers to other third countries, further transitional provisions will mean that they will not have to rewrite those contracts.
On the approach that the regulations take to the extraterritorial provisions in the GDPR, noble Lords may recall that, in addition to applying to data controllers that are based in the EEA, the GDPR applies to those based outside the EEA which are processing EEA data for the purposes of providing goods and services or monitoring individuals’ behaviour. Where a data controller outside the EEA is systematically processing the data of EEA residents, it is required to appoint a representative in the EEA to act as a contact point for EEA supervisory authorities. To ensure that there is no dilution in data protection standards when the UK leaves the EU, these regulations preserve the GDPR’s extraterritorial approach. This means that the UK GDPR will apply to certain data controllers based outside the UK which process the data, or monitor the behaviour, of data subjects in the UK.
Articles 60 to 76 of the current GDPR focus on how the different supervisory authorities in the EEA will work together to investigate data breaches and share guidance and best practice through the European Data Protection Board. Once the UK leaves the EU, there will be no automatic right for the Information Commissioner to sit on the EDPB or to participate in the GDPR’s one-stop-shop mechanism, so these provisions have been removed from the UK GDPR. The Government recognise the value of cross-border regulatory co-operation. That is why the draft political declaration makes it clear in paragraph 10 that the EU and the UK should collaborate to ensure that our regulators can continue to work together where it is in our shared interests. Clearly, we cannot pre-empt the outcome of these discussions. However, what we can do is to retain Article 50 of the GDPR in our law, which says that the Information Commissioner,
“shall take appropriate steps to … develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data”.
This ensures that, come what may, data protection authorities on both sides of the channel will have a common basis from which to develop new international co-operation mechanisms.
My Lords, if the Minister will forgive me, this is a crucial issue in what is going to happen. Where there is a data controller outside the United Kingdom in a no-deal scenario, will there be a requirement for it to have a representative inside the United Kingdom to replicate the existing EU arrangement? It was not clear from what the Minister has just said whether that will be an absolute requirement.
If they fulfil those conditions that I mentioned, the answer is yes.
I would like to touch on what our exit from the EU might mean for the applied GDPR, as provided for by Chapter 3 of Part 2 of the Data Protection Act 2018. Noble Lords will recall that we created a separate regime which provides for broadly equivalent standards to the GDPR to apply to processing activities that are outside the scope of EU law and covered by neither Part 3 nor 4 of the Act, which deal with processing by law enforcement and intelligence services respectively. This regime currently applies, for example, where a controller other than the intelligence services is processing for national security or defence purposes.
As the EU GDPR will not, as a matter of domestic law, apply directly to any general processing activities when we leave the EU, these regulations are intended to simplify matters by providing for a single regime for all general processing activities. Those provisions in the 2018 Act that provide for the applied GDPR, together with other references to the applied GDPR in legislation, are removed. Importantly, the provisions in the applied GDPR which currently provide exemptions from specified provisions where these are required for the purposes of safeguarding national security or for defence purposes have been retained in the merged regime. These exemptions balance the need to protect personal data against ensuring that the UK’s security and intelligence community can continue to carry out its vital work to safeguard national security. I should emphasise that the merger does not itself alter the purview of EU law so where aspects of domestic data protection law were outside EU competence before exit day, this will not change as a result of this instrument. We have included provisions in the regulations to make that point clear.
I believe that the approach the Government are taking is an appropriate way of addressing the deficiencies in domestic data protection laws resulting from the UK leaving the EU. The aim of these regulations is to ensure continuity for data subjects, controllers and processors by maintaining the same data protection standards that currently exist under the GDPR and the Data Protection Act 2018.
My remarks have focused on the changes made to the GDPR and the Data Protection Act because they are the most significant. For completeness, I should add that the regulations make a number of minor amendments to other legislation, consequential on the amendments we are making to the UK GDPR and Data Protection Act 2018. For example, they amend references to the “GDPR” in other legislation to refer to the “UK GDPR”.
They also address a small number of non-exit-related issues. They clarify that the GDPR definition of consent applies for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and address two minor drafting issues that were identified in Schedule 19 to the Data Protection Act 2018, shortly before it received Royal Assent. I commend these regulations to the House
My Lords, I am not sure the Minister is going to have quite the easy ride he had with the first statutory instrument. My eye was caught by a very detailed briefing by the law firm Fieldfisher on the consequences of this SI. It was the final paragraph that caught my eye. It says:
“From a broader perspective, the creation of a new data protection regime in the UK may present additional complexities for controllers and processors who are caught by both European and UK law and will therefore need to comply with both the GDPR and (in relation to UK customer data) something that looks like the GDPR but which may start to move away from it as time goes on”.
Those last words are ominous. There is no doubt that the GDPR was a great success for European co-operation. The noble Baroness, Lady O’Neill, reminded us earlier of the wide range of issues that we will have to take into account in protecting our democracy from data abuses. There are similar dangers in the protection of our commercial and business life. The value of the GDPR is that it gives us a strength of certainty of European legislation.
I will delay the House a little with a reminiscence. Between 2010 and 2013 I was the Minister at the Ministry of Justice responsible for the earlier negotiations on GDPR. I went to a meeting in Lithuania and throughout the day I noticed that there was one person sat at the table who never participated, voted or said anything. At the end I turned to the British ambassador and asked, “Who is the guy at the end of the table—he has not said anything?” “That is the Norwegian,” he said. “He can come and listen, but can’t vote and he is not involved our decisions.”
I often think of that when I hear people banging on about sovereignty. Sovereignty was best exercised by British Ministers at the table briefed, I have to say, by officials who were the people to go to. I will not name any particular official, but there was one man to go to as GDPR clunked its way through the machinery. There were “light touchers” and those who had quite recently experienced a Stasi or state abuse of personal data and privacy, and balancing the requirements of GDPR was part of the diplomacy our officials showed. I was also greatly assisted by our parliamentarians in the European Parliament: my noble friend Lady Ludford was very influential in steering the GDPR through some choppy waters.
The noble Lord, Lord Forsyth, who is not in his place, said a few weeks ago in one of our Brexit debates that the first time he went as a Minister to Brussels he felt resentment and animosity that he was being, as it were, dictated to by these foreigners. I do not think that I am being too misleading in saying that; I am sure that he will correct me later if I am wrong. He certainly did not feel at home there.
My first visit as a Minister was to Lithuania. I felt considerable pride that I was sitting with 27 colleagues in a part of Europe that had experienced every kind of dictatorship, from Nazism to communism. We were now sitting around a table trying to deal with one of the most important issues that we will have to face in the years ahead, with this fourth industrial revolution, artificial intelligence and the data revolution. It worries me that we are going into a period when data is described as the new oil, the most important and valued asset that we can have, while real doubts are still on the agenda and being exacerbated by the Brexit process—never, of course, put on the side of a bus.
The Minister gave sweet assurances on how quickly we would deal with adequacy. He is now shaking his head, so let us hear from him.
Just to be clear, I did not say anything about the speed with which the European Commission would provide its decision.
I am not blaming anyone, but an EU adequacy decision can be given only by the European Commission. It is not a question of blame; it is just a fact.
I will close with another one where I am sure that the Minister is not going to blame the European Commission but say that it is its responsibility. During the period that I am talking about, the stature and influence of our then Information Commissioner had a major impact on how we put the GDPR in place. Again, the Minister was unable to give us any real reassurances about whether we will be at the table in co-operation, or whether it is these difficult foreigners who are going to stop us doing that.
The Minister never said anything about difficult foreigners, but there has always been the impression that this would all be as smooth as smooth. “Do they not understood that we are trying to be helpful?”, we ask, when we have caused Europe so much disruption and cost by this act. In this case, it is essential that we are part of the ongoing dialogue. This GDPR is not the end of the process. As the House was discussing last week, these European laws are going to develop. How we then act and deal with them is going to affect where jurisdiction lies—with European or British courts.
The noble Lord has raised a litany of concerns about the GDPR regime after Brexit and cited a number of people who briefed him about it, including QCs and Members of the European Parliament. However, he will have noticed that there has been no public consultation at all on these regulations. There has been no opportunity for people directly affected to publicly brief us. Does he share my concern about that? Would he like to comment on the process of public consultation on these regulations?
It is, of course, a farce. These regulations are all being rushed through at the last minute and we know that we have to put them in place as the cliff edge approaches.
I do not want to be rude to Fieldfisher, because it provided some excellent briefing but, my God, the lawyers must be rubbing their hands at the cornucopia that is going to be tipped out to them as companies and individuals try to make sense of the reality. Whether we get a deal, or fall out, it will be a jagged, uncertain, unclear leaving.
Does the noble Lord accept just how unclear and what a complete pig’s breakfast the thing is already? I do not think you could make it worse. I have to deal with this on a day-to-day basis. It is a complete and utter mess and no lawyer can even give you a definitive opinion.
My Lords, first I have a couple of housekeeping questions which I hope are not too banal. I find considerable difficulty using the legislation.gov.uk website and its search function. Will the Minister ask his civil servants to check it out? Even if you search for “data protection 2019” under UK SIs, both the previous one and this are difficult to find. There was a
Secondly, I want to ask about the absence of an impact assessment. Paragraph 12 of the Explanatory Memorandum states that:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”.
The pretext is that, while the Government recognise that:
“Data flows from the EEA to the UK may be restricted post-exit”— because, if there is no deal, we will be plunged into a situation where there is no legal framework and no adequacy decision—
“that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
That is the justification for having no impact assessment. However, if we left with a withdrawal deal and a transition there would be a legal framework, so this instrument, which provides for both a no-deal scenario and one in which there would be no adequacy decision, surely merits an impact assessment as well as the consultation to which the noble Lord, Lord Adonis, referred.
As the ICO has made clear, and as has been mentioned already, businesses may have to deal both with the ICO and with European data protection authorities in every EU and EEA state where they have customers. They may need a European representative if they process the data of people resident in the EEA or have customers in the EEA. There would be additional complexity if they had to comply with both the GDPR and the UK GDPR. They could face concurrent legal claims in both the UK and the EEA. Will the Minister amplify the justification for having no impact assessment? Data flows are crucial to many businesses, not just the tech industry—there is hardly a business or other organisation that they do not affect—so the rather blasé claim that no impact assessment is needed is not justified.
I am a bit confused—it may just be my lack of understanding—about the situation regarding EU adequacy decisions on third countries. Paragraph 2.8 of the Explanatory Memorandum says there will be,
“incorporated into UK domestic law … EU decisions on the adequacy of third countries and on standard contractual clauses, both of which are relevant for … international transfers”.
Paragraph 2.13 says:
“It will not be necessary to retain the EU decisions on adequacy and standard contractual clauses … so these are revoked by this instrument”.
If I have understood the Minister’s presentation, this is explained by the fact that we are recognising and incorporating past EU adequacy decisions, but that in the future, in a no-deal scenario, the UK will take over that function: I venture to suggest that that is not very clearly explained in the Explanatory Memorandum.
I do not often get that response from Ministers, so that is very gratifying.
Also, a second version of these regulations was published at the end of last week—I think the Minister referred to it—which is specifically about privacy shields in the US. I am rather surprised that we will have two separate considerations: why could they not have been incorporated into this debate? As the ICO pointed out in a notice a while ago, US companies will need to update their privacy shield commitments to state that they apply to transfers of personal data from the UK. That is a big deal for many companies. It is another reason for what I said about the need for an impact assessment. If that does not happen, a lot of companies will be in serious difficulty.
Will the Minister tell us what advice the Government are giving businesses on using standard contractual clauses or binding corporate rules in the absence of an adequacy decision? The European Data Protection Board issued a notice about this last week, on
The Government in their wisdom—or, some of us think, lack of wisdom—decided not to incorporate the Charter of Fundamental Rights, and not even its Article 8 on data protection. Therefore, reliance for privacy safeguards has to be found in the European Convention on Human Rights. Again, this has been commented on in the last couple of months. The political declaration has a strange expression whereby the UK is committing itself only to respect a framework of the ECHR. This is starting to get a bit thin. When the Commission looks at an adequacy assessment, of course it always has the European Parliament breathing down its neck; the Parliament does not have a legal role but looks at this area rather closely. It seems that the Government are shooting themselves in the foot with regard to saying, “We have a very high standard of commitment to human rights, including privacy”, and that is before you get to the fact that the Government, or the Conservative Party, are refusing to rule out abolition of the Human Rights Act, which is still in place. We know that when an adequacy decision comes to be made, the scope of the assessment is wider than if we were a member of the EU, and it will bring in things like surveillance by the intelligence agencies—for instance, under the Investigatory Powers Act. As noble Lords will know, in the Strasbourg court the UK was found—I think last September—in breach of the ECHR privacy obligations in respect of the bulk collection of data. How do the Government intend to reassure the European Commission as well as other EU players that they are thoroughly fit for purpose when it comes to getting an adequacy decision, and are these issues delaying the Commission advancing on that question?
My Lords, the noble Baroness, Lady Ludford, has raised some important points. It is totally unjustifiable that there is no impact assessment for this regulation; I hope that the Minister will address and explain that. The noble Baroness also made an important point about the way that data adequacy will be assessed if we are outside the EU, particularly in a no-deal scenario.
I will extend that to cover my perennial theme of consultation. No issue affects businesses and individuals across the country more than data. Indeed, we went through the whole GDPR exercise precisely because this is so central to our individual and community life. The fact that there has been no consultation at all on this regulation seems truly indefensible, so I hope that the Minister will say why that has been the case. The noble Lord, Lord McNally, said that data is now the new oil. He is absolutely right; it is as important to the functioning of our economy and our society as energy—it is a form of energy—and there clearly should have been consultation. Can the Minister say why there was no consultation? I assume that he will tell us again that there was no time, which begs the question of why we are going through this no-deal process at all if there is not time to conduct the normal processes of government in respect of it.
As ever, there is a bizarre twist to the statement on consultation. Paragraph 10 of the Explanatory Memorandum states:
“The government has not consulted publicly on this instrument”.
I presume that that means that they have consulted privately, and the House needs to know who has been consulted privately. The only body mentioned in paragraph 10 is the Information Commissioner’s Office, with which, it states, the regulation has been developed in consultation. Who else has been consulted privately and what were the selection criteria? Since the regulation was published, there have been representations. What representations have been made to the Minister’s department and what was their content?
The noble Baroness, Lady Ludford, also raised the issue of trying to assess the impact. Again we have doublespeak in respect of the regulations. We are told that their literal interpretation means that there is no further impact over and above the operation of existing European law. However, that is after, in the words of the White Queen in Alice in Wonderland, you have believed six impossible things before breakfast. Paragraph 12, entitled, “Impact”, states:
“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”,
It is impossible to separate the instrument from the fact that we are leaving the EU. The noble Baroness put her finger on a very important point, which is that if we leave the EU with a deal on the basis recommended by the Prime Minister, the impact might be radically different from that envisaged under the instrument, for two reasons. First, there will be a transition period in which nothing changes but, secondly, the political declaration heralds negotiations on a whole set of issues, including trade and data flows, which might well lead to our continuing in the existing GDPR regime. So the last sentence of paragraph 12 is not true. It is not true to say that the issue of data flows and the regulation of data is dependent on the UK leaving the EU, not as a result of the instrument. There is a crucial difference between leaving the EU with a deal—in particular, with a deal that maintains the status quo—and without a deal.
When the noble Lord, Lord McNally, cited one of his expensive lawyers, who had suggested that there may be additional complexity—
I was not suggesting that they were his personal expensive lawyers, just expensive lawyers who have chosen to brief him; I know that he could not possibly afford expensive lawyers. When he said that it depends on what happens as time goes on, he put his finger on a very important point. The whole point of no deal, with a separate regime under our ICO, is that we could quite quickly find ourselves diverging, and as we diverge, that will quickly impose burdens over and above those that would apply even if we left the EU with a deal.
I am also not sure it is true to say that there would be no burdens as a result of the regulations even at the outset. I am a lay man in this business, and trying to understand what is going on is very difficult, particularly because there has been no consultation and we do not have the opportunity to assess what people who are expert and directly affected have said. The reason I intervened on the Minister in his opening remarks is that, having been a company director who has had to deal with the implementation of the GDPR, I know that having a representative dealing with data matters inside the EEA is very important. Many companies have offshored a lot of their data-control activities, and the requirement of the GDPR that they must have a representative inside the EEA—which I think is the correct thing to do—is a definite burden. It means that companies have to employ not only additional individuals but have to set up additional offices, in essence, to cope with those flows in many cases, particularly if they are dealing with significant data-handling exercises which are outside the EEA at the moment. This happens all the time with call centres in India; many companies are in this territory.
My understanding of what the Minister said in our earlier exchange is that if we leave with no deal and therefore must set up our own UK data-monitoring regime immediately, there will be a requirement for every company operating outside the EEA—which must, under the GDPR, have a representative inside the EEA—to have a representative in the United Kingdom. I would be grateful if the Minister could confirm that because if it is true, that is an immediate and potentially significant burden.
The other important point is that people need to understand that these arrangements are reciprocal. One reason why we as a country have such a good services industry is because a lot of companies based in the UK do substantial business in the EEA and beyond. That is great. My assumption, although it is not spelled out in the Explanatory Memorandum, is that in a no-deal scenario, data controllers who are based in the UK but do substantial business in the EEA will be required by the European Union to have representatives in the European Union over and above their data controllers in the UK; these are not currently needed. I would be grateful if the Minister could address that point. This flows logically from the new regime being set up. I would be astonished if that is not the case because I do not think that the European Union would regard having a data controller in the United Kingdom as meeting its standards of data adequacy. I would be grateful if the Minister could confirm that.
On that point, it is apparent that this immediately imposes a burden, potentially a significant one, on every company that handles data in the European Union or the EEA, as opposed to just in the UK. That represents a substantial proportion of our companies. If we had had an impact assessment, as the noble Baroness, Lady Ludford, suggested, this issue would have been brought out and we would know its effect. If there had been public consultation, we would know, but there has been none—and we have had no impact assessment. To my surprise, the Select Committees of this House that oversee instruments and put them to us have not raised these issues, which seem substantial and should have been raised before these instruments came to this House.
I think my noble friend has not quite got it. I assure him that, as the noble Lord, Lord Cunningham, said earlier, Sub-Committee B is in the process of sending a letter to the Treasury complaining about the national policy it laid down on not having impact assessments for these instruments. Every week, we are seeing dozens of instruments with references to both informal consultation and none, but now it has been picked up that there is a national policy not to have impact assessments.
That raises the issue of why that is not in any of the information before your Lordships. I was not aware of that at all. It is not flagged up in any of the documentation. Like other noble Lords, I appreciate hugely the work done by our Select Committees but the committee’s view is not always completely clear to the House when these instruments come before it, unless the committee has issued a formal report. We do not get full value from our Select Committees in the way that their work is presented. For instance, I am surprised that the chairs of these Select Committees do not comment on these instruments based on the committees’ work. I see that one of the chairs is sitting opposite; perhaps he would like to intervene.
All I can say at the moment is that the letter to which the noble Lord, Lord Rooker, referred has not gone quite yet.
That is because of a dispute between the two chairs. Sub-Committee B agreed in discussions last week about the terms of that letter and will meet tomorrow. I do not know what has happened today in Sub-Committee A, but Sub-Committee B made a decision, based on the statutory instruments it saw, to object to the Treasury’s objectionable policy. If Sub-Committee A does not agree, I hope that Sub-Committee B—which is dealing with half of these instruments—will send the letter on its own. Another member of Sub-Committee B is currently sitting in the Chamber.
I have to say that this for me is a black box. Because of my other duties I have not been able to spend time analysing what is going on in Sub-Committees A and B, but this is very important because hundreds of these instruments are coming to us.
I turn to the issue of there being no consultation, which my noble friend Lord Rooker referred to. I have been going on about it for weeks. This has been true of every single no-deal instrument that has come to your Lordships. It is deeply and profoundly unsatisfactory. In my view this ought to have been flagged up for each of these instruments from the beginning and ought to have been a reason for them not to come before the House. How can we possibly conduct the proper business of the nation in terms of changing the law when we do not have any public consultation with any of the sectors that are affected by these instruments? We are dependent on the expensive lawyers of the noble Lord, Lord McNally, even to spell out the most basic features of these regulations—which, first, will not be apparent to those of us who are lay people and, secondly, which those people who are affected have had no opportunity to present except through the agency of expensive lawyers who seek to make a living. Of course, the expensive lawyers referred to by the noble Lord, Lord McNally, will now advertise their wares to companies, telling them what the impact of these things is going to be because they did not have a chance to engage with them earlier and make their views known, particularly if they start being adversely affected.
Perhaps I misheard the noble Lord—we will call them distinguished lawyers.
However, there is a dispute going on between the chairs of Sub-Committee A and Sub-Committee B. I do not know how these disputes are resolved. Do they come to the House? Perhaps they should come to the House.
My Lords, I hope that it is close, because meanwhile we have another seven of these instruments to consider today and the whole of the Order Paper for Wednesday has, I think, another dozen of them. We also have hundreds more coming next week. Perhaps I may say to the noble Lord that I hope that this can be resolved extremely quickly and that we can find a satisfactory way forward, because the issue of the lack of impact assessments seems to be entirely arbitrary. We have some on the later instruments that will be introduced by the noble Lord, Lord Bates, but there are none on these. However, no formal consultation has been carried out on any of the instruments.
I have some fear that I will raise the noble Lord’s blood pressure even higher, but if he takes a look at the impact assessments that are provided, I think that he will be shocked by their inadequacy. They do not move us very far on from having no impact assessment at all.
My Lords, I do not think that it is possible for my blood pressure to be higher on these matters. However, I hope that the blood pressure of the House is high, because we are supposed to be legislating on behalf of the country, and the proceedings of your Lordships in respect of these no-deal statutory instruments are an absolute farce. I do not think that the procedures of the House are working well. The fact is that the two chairs of our relevant sub-committees cannot even agree on a letter to send to the Treasury in respect of the handling of consultation. The fact that it is about six months after we started getting the initial flow of statutory instruments on this matter coming to the House is in itself deeply unsatisfactory and is not a good commentary on the way our parliamentary proceedings are working. Moreover, the fact is that what we get are bromides from the Government that there is no change, based on there being no impact assessments, no consultation and a complete misreading of what the situation is in any event, because it involves a denial of all of the negative consequences that will flow from leaving the European Union, which of course is the underlying fact that they should be grappling with in the first place when conducting consultations and impact assessments. It is deeply unsatisfactory.
The right thing for this House to do would be to reject these instruments. We should not be a party to such an abuse of our constitutional procedures as is taking place with these no-deal instruments. What we will be faced with, though—I feel this pressure myself—is that we could crash out of the European Union in an unconscionable act of misgovernment in the course of five weeks’ time, so we have to do our level best to ensure at least that there is a statute book in place for that eventuality. But I and other noble Lords want to put on the record that the situation we are faced with, and which gets worse with every debate that flushes out more facts about what is actually happening, is a complete abuse of our constitutional procedures.
That last point is very important. Somebody pointed out the other day that one day there will be a full judicial inquiry into how this process has been carried through. Ministers and civil servants should be aware that one day there will be accountability for the way this has been done.
The noble Lord is right, but I do not think that that day is far off; I think it will come soon. Let us be clear: we are not talking about a natural disaster. As a Minister, I often had to deal with those. When there are ash clouds and volcanoes erupt, you have to take very difficult and extreme decisions at short notice. Here we are talking about an act which the Government are inflicting on the country, with no external agency whatever. Not only that, but the Government could this afternoon terminate the situation we are faced with, in respect of these no-deal regulations, by the Prime Minister announcing that she is not proceeding with no deal and that she will, on behalf of the United Kingdom, submit a request to extend Article 50—or, as we now know she can do from the judgments of the European court, rescind it unilaterally. This will be a big matter for the public inquiry that the noble Lord, Lord McNally, is referring to. All the consequences of this no-deal situation are caused by the Government, and the remedy for them is entirely at the disposal of the Government. It is our absolute duty to point this out all the way through this process, so that at least some of us in the parliamentary system can point to the fact that we did our level best not to take the nation to the edge of the cliff where we are now at.
Coming back to this instrument, it is totally unacceptable that we are dealing with such an important set of regulations relating to the fundamental issue of data and data protection and there has been neither an impact assessment nor any public consultation.
My Lords, I asked the Minister about the state of play on an adequacy decision. I am told that the Minister in the other place, Margot James, confirmed a few weeks ago not only that those discussions can start—at least formally—only after the UK leaves the EU, but that they would take two years; that was her estimate. So that multiplies the gravity of having no impact assessment; if we crash out without a deal, we will have a legal void for a long time.
The noble Baroness raises a very important question, to which the Minister should respond: how long will it take to consider this? Noble Lords who woke up to the “Today” programme this morning will have been astonished to find that Dr Liam Fox and the Foreign Secretary had written to the Japanese Prime Minister telling him to get a move on in signing a trade deal with Britain—as if we, because we are putting ourselves in a position of great jeopardy and undermining existing international agreements in five weeks, can now start instructing foreign Governments on the timescales in which they should conduct international negotiations. This is utterly humiliating to us as a country. It is a fundamental breach of the proper conduct of public affairs. What the noble Baroness said about it taking another two years even to get the basis of data adequacy agreements with the EU, because of our act of withdrawing from the European Union, simply underlines the point.
My Lords, in the middle of all that I shall provide a still, small voice of calm for a moment—perhaps—in keen anticipation of the response of the Minister, who will have to orchestrate the energies that have been released and deal with the blood pressure of my noble friend Lord Adonis.
I have looked at this statutory instrument. I can see 65 pages of intricate cross-stitching, as an untold number of lawyers for untold numbers of hours have pored over pieces of legislation, harmonised what can be harmonised, tweaked what can be tweaked and produced at the end an unreadable pastiche, leaving us reliant on the Explanatory Memorandum. As I sat at my kitchen table on the sunniest weekend we have had this year so far, with pieces of legislation spread out all around me, there was no other method available to me.
I read of changes to the GDPR and the law enforcement directive,
“over which our Information Commissioner’s Office and UK civil servants have had considerable influence”.—[
That we, once among the architects of how we handle our data as a continent, should now be in the position we are in is a great sadness. I would say the same thing for the European Court of Justice, which we had a formative contribution in shaping. That we are arguing these points in this way is a dreadful place to be.
I echo what has been said to my left and to my right about reciprocity, adequacy and all that. At the moment of leaving, we will, I suppose, accept the remaining members of the European Union as having passed the adequacy test. Indeed, through the Privacy Shield scheme in the United States, we will offer that sense of adequacy even beyond Europe. But, as has been said, the negotiations to have some reciprocity and adequacy expressed for our own case will take an indeterminate time—two years has been mentioned, and the Minister will respond to that in due course. It seems such a strangely asymmetrical presentation of these important facts. I want to ask, as others have done: is it true that the assessment of adequacy for the United Kingdom might take as long as that?
In his opening remarks, the Minister mentioned that, at such-and-such an item in the political agreement, there is reference to the urgency with which certain of these things must happen. Perhaps he will excuse my ignorance on this point, but, if there is no deal, is there no deal in respect of the deal and of the political agreement? If so, the item he referred to falls, as indeed does the deal.
The noble Lord, Lord Balfe, made a speech last week on what happens once you have reached a fixed point, which has again been hinted at in this debate. At the moment, all we are talking about is something that will come to pass on a particular date, just five weeks away, at which point things should square up with each other. But what happens in the two years it will take for adequacy for us to be granted by the negotiating process that will then begin? What happens if decisions about how to act in the area of the management of data begin to diverge? It is not a fixed position. What mechanisms do we have to handle a shifting scene?
My noble friend Lord Adonis mentioned Japan. It did not come into the picture because, at the time this statutory instrument was written, something was happening that had not yet been brought to a conclusion. But we now know what the conclusion is, and we see that Japan will be a much more difficult case to crack than we had thought. Once again, we are in a bad place.
Without a deal—or even, it seems, with one—the ICO will no longer sit on the European Data Protection Board. The noble Lord, Lord McNally, referred to the loneliness of the Norwegian, and it is worth emphasising that all over again. It will be a dreadful thing for us to send our top person to such discussions and have her sit out and have no real practical influence—this is the United Kingdom we are talking about—nor will she be able to participate in the GDPR’s one-stop shop mechanism. This is another terrible place to put her. How should we feel about this? I think it is important.
Incidentally, I see why there is no impact assessment or public consultation: all the people who might have been available to harness such an impact assessment or consultation have been disentangling laws and working as drones to put this SI together. I cannot feel that we are doing anything that any of us would be other than ashamed about with the passage of time.
On the age at which consent is deemed to have been given, are the Government, in opting for 13—there was a spread of ages between 13 and 16 when we considered the Data Protection Bill last year—achieving by secondary legislation what we were reluctant to do just a year ago with the primary legislation? What is our duty of care in such circumstances?
Others have spoken with great passion. I wish to mention a consultation which seems to have happened with the devolved authorities on how and when they should exercise their “supervisory authority” when preparing new legislation. What kind of consultation took place with the devolved authorities? They are not desperately happy with the way they have been consulted in general as this unholy process has unfolded. I would like some reassurance on that.
I end, as my noble friend Lord Adonis did, on the gnomic utterance:
“Data flows from the EEA to the UK may be restricted post-exit, but that is as a consequence of the UK leaving the EU, not as a result of this instrument”.
When he referred to Alice in Wonderland, I am afraid I was in something more desultory and the darkest kind of Gothic novel from the 19th century.
I wish the Minister well. He is a good man and will no doubt have a benign presence at the Dispatch Box. Of course we will not oppose this item but we sit down with great regret at finding ourselves where we are.
My Lords, I took the advice of the noble Lord, Lord McNally, that it would not be easy—and he has proved to be right. It is reasonable to take on board the frustrations that some of these SIs have caused—in my view, not so much because of the process which is gone through but the fact that some noble Lords do not want to leave the EU and are highlighting the effects. What they are highlighting may well be the case, but when we are trying to pass an SI such as this one we need to concentrate on its effect and—that did not take long.
I am sorry but the Minister must accept this. It is absolutely true—I speak for myself and my Benches—that we would prefer to remain in the EU, but that is not the point about an impact assessment. There is a difference between crashing out with no deal and a transitional period when EU law would continue to be applicable and we would not need all these arrangements. That is what an impact assessment would have to assess. This is about a no deal crash-out and it is perfectly valid to distinguish that from an advocacy of remain.
I agree. That is why the Government are making all efforts to secure a deal. We agree that a deal is the best situation for the country. We are at one with that.
In answer to the noble Baroness, I will start with something which is my responsibility—the legislation.gov.uk website provided by the National Archives. I will take up the matter with it. I am told that it may be helpful to search for “draft statutory instruments” rather than “statutory instruments”. I certainly listened to what she said about the website not working and will check what we need to do.
The noble Baroness, the noble Lord, Lord Adonis, and others talked about the impact assessment and asked why it has not been published. The impact of this instrument, not the impact of leaving the EU, was assessed in line with standard practice following the existing Better Regulation framework. It is focused on the direct impact of the relevant SI compared with the current legislation. The whole point of this SI is to maintain an equivalent regulatory framework to protect personal data. The noble Lord, Lord Adonis, quite rightly pointed out that it affects not only UK businesses but mostly EU and EEA businesses, which will have to have representatives in this country, and I will come to that. It is a reciprocal arrangement. If these regulations come into force and we have a UK GDPR, the same necessity for representatives will take place both ways, and I will come to that.
The analysis, to the best of the Government’s ability, of the wider impact of the UK’s exit from the EU was published in the Long-term Economic Analysis in November last year. The noble Lord, Lord Adonis, talked about representatives and Article 27. He is correct that data controllers who offer goods and services to or monitor the behaviour of data subjects in the UK will need to appoint a representative in the UK, but that is a cost to non-UK businesses, which is what the impact assessment is meant to address. He is also correct that there will be organisations in the UK that will be required as a matter of EU law to appoint a representative in the EEA. The ICO provides data controllers with advice on this obligation and will continue to do so. If controllers and processors based abroad are routinely processing data, it is right that they should be accountable in the UK and have a presence here because this is about maintaining the status quo as far as possible, not about rolling back protections for individuals, so the representative is a point of contact for the data subject as well the supervisory authorities, such as the Information Commissioner.
I understand that the Minister is saying that my supposition is correct that after a no-deal Brexit a UK data controller doing business in the EEA will have to have a representative in the EEA as well as in the UK because this will be a reciprocal obligation—the Minister is nodding, so he agrees. The key point is that that is a significant burden on businesses. There is no way of getting away from it. That is a new and significant burden on UK businesses as a result of the regime put in place by this instrument, so why is it not flagged up in the Explanatory Memorandum to this order? Indeed, to take up the point made by my noble friend Lord Rooker, why did our Select Committees not point this out in their analysis of this instrument? My reading is that this is going to be a burden on a very substantial proportion of businesses which conduct business that involves data. Therefore almost all of them that do business on the continent will be required to have a representative on the continent for GDPR purposes which they do not have to do now and will not have to do if there is a deal because we would have continuity of the existing GDPR arrangements.
It is true that they may be required to have representatives in the EEA, and it is a reciprocal benefit. The impact assessment looks at the specific requirements of the SI, not at the requirements of leaving the EU. The long-term consequences for business—
I thought I was going to listen to a debate on a specific SI, but there are some very large principles here about the way in which this House should be handling the very large number of SIs which we are expected to get through in the next two to three weeks. If it is correct to say that the Treasury has now laid down that there should be no impact assessment because we can all rely on what the Government told us in general about the implications of leaving the EU, that seems to be close to being totally improper and at the very least to require a formal Statement to this House about how we are expected to deal with this very large number of statutory instruments.
In the circumstances, the most appropriate thing would be for the Minister to withdraw this statutory instrument and to come back in a few days after there has been some consultation on it among the Front Benches. If he is not able to do that, at the very least he should promise that tomorrow there will be a formal Statement to the House on how statutory instruments will be handled from now on. It seems that we are heading into an area where statutory instruments are not being properly scrutinised by this House.
I find it difficult to understand how the noble Lord can say that the SIs are not being properly scrutinised by this House, particularly in comparison with the scrutiny that this instrument received in the other place.
I agree with the noble Lord who is saying from a sedentary position that that is why he is here and why it is important. However, taking my personal experience of the telecoms SI, an hour and a half in the Moses Room and an hour in the Chamber seems to be pretty reasonable scrutiny. As for how the House in general and the Government are handling SIs—
This is not just a matter of time; it is whether people have the appropriate information to be able to raise and challenge issues. That is the underlying issue that the Minister is running into in this House.
I understand that point, and the noble Lord, Lord Adonis, made it to me forcefully in the Moses Room. This SI has been laid for some time and there have been opportunities for noble Lords to talk to and engage with anyone from the DCMS. I take the point that it is sometimes difficult for Back-Benchers to get information if they do not ask the department. However, I think that the Front Benches have been fairly open in exchanging information on any SI—that is certainly the case in my department. I offered the noble Lord, Lord Adonis, opportunities to ask questions well before the debate, as I think he acknowledged.
It is not for me to say how the House and its sifting committees behave and how the two committees have liaised with each other. However, I will take the noble Lord’s request back to the usual channels. I will not commit to there being a Statement tomorrow but I will certainly take back his point to make sure that the usual channels listen to what he has said. The making of Statements will be up to them—that is not for me; nor is it for me to comment on the work of the sifting committees of your Lordships’ House.
My Lords, this morning I read a new Commons briefing on the amount of legislation that needs to have been completed to enable us to leave the EU on
I thank the noble Lord for his view. It is clearly not for me to promise a Statement to the House. As I said before, I will agree to take back what he said and put both interventions to the House authorities. They may or may not agree. If they do not, I am sure that he will be able to raise it in an appropriate forum direct with the usual channels—both via his own Chief Whip and also directly with the Leader of the House and our Chief Whip. However, it is not appropriate, in considering an SI, to move beyond that to the wider method used by the House to address statutory instruments. Ministers certainly feel that they have been scrutinised considerably. I do not see that the noble Lord, or others who have spoken on this, are suffering from a lack of information with which to scrutinise these statutory instruments; they seem to be scrutinising fairly effectively as far as I can tell.
My response to the point made by the noble Lord, Lord Adonis, about the effect of representatives on business, is that the need to have a representative in the EEA is not as a result of this statutory instrument—it is as a result of EU law. Therefore, as I said before, the fact that we will no longer be part of the EU means that EU law will apply to us as a third country; until now, we have not been a third country.
I seem to have misunderstood. I thought we had got clarity on this situation. While we are a member of the EU, a company needs to have only one representative in the EU—if I have got that right—whereas under the no-deal Brexit scenario, if the company is based in the UK and does business involving data exchanges or transfer in the EEA, it will need to have two. That is a very important point. It is not the case that the status quo will continue: there will be a fundamental difference once we are outside, because then we will be a third country as far as the EU is concerned. The reciprocal arrangements mean that UK businesses doing business on the continent will need to have a data representative in the EU and vice versa, which is not the case at the moment in respect of the EEA. Is that correct?
This is a fundamental issue; it goes to the heart of these regulations. The House should absolutely not agree to these regulations without us being clear in this debate on whether there will be a requirement to have data representatives in both the UK and the EEA reciprocally in the event of a no-deal Brexit. That is fundamental. My reading of these regulations is that this will be a requirement and that is what I took the noble Lord to be confirming earlier in the debate.
There will be a fundamental and massive increase in burdens as a result; this is the key point that I am trying to get across, which is not in the Explanatory Memorandum at all. It is not necessarily a point about leaving the EU. If we have an agreement, with an implementation period and so on, there will not be that requirement until we leave the existing regime. These are fundamental issues, which should have been brought up well before this debate started. The fact that the noble Lord cannot even definitively confirm the arrangement is quite a serious problem for us.
I am sorry, but I do not agree with the noble Lord. When we have the UK GDPR, which these regulations will bring into place, there will be reciprocity in the need to have representatives in each other’s countries. I agree that this will be a change. We do not need them at the moment because we are in the EU, but this will be a result of leaving the EU.
I want to get some clarity on this and perhaps the Minister will be able to help me. He is quite clear that, for a wide variety of companies, there will need to be one representative in the UK and, he seems to imply, one representative in the EEA. Is that correct, or does there need to be one in each country within the EEA—or does the individual in the EEA have to deal with different regimes because of the different local regulators and because it is representing a third country in its work? I am trying to work out how great the burden that he has indicated will be, even though he does not think that it will be part of the impact.
Before the Minister answers, I would like to press again this idea that an impact assessment is not needed since the impact comes from leaving. I say no to that; it depends how you leave. The Minister and I may differ on the desirability of the Prime Minister’s deal, whatever that is going to be, but there is a difference between crashing out and having a transition with a political declaration which may avoid the need for duplication; we do not know what the data protection provisions will be in the future relationships. We all hope that there will be a strong degree of mutual recognition, but the immediate impact of crashing out with no deal—with a void where any adequacy decision or future reciprocal relationship between regulators would otherwise be—is quite different. First, it is different from having a standstill transition and, secondly, it is different from having the prospect, or at least the hope, of a long-term relationship that preserves something of the single market. We need the impact assessment to assess the difference between those two scenarios; that is what the Minister does not seem to grasp.
I agree with the noble Baroness that, if we leave with a deal, that is a different scenario from leaving with no deal. That seems an obvious fact and it is why the Government are trying to leave with a deal, which is what the Prime Minister is trying to achieve. This is a no-deal exit SI to prepare for that eventuality. If we leave with no deal, the object of the exercise will be to preserve the GDPR standard of data protection, which this SI will do. To return to the point raised by the noble Lord, Lord Adonis—sorry, it might have been raised by the noble Baroness, Lady Kramer—the requirement to appoint one representative in the EEA is, as I said, a result of EU law.
I say again to the noble Lord, Lord Adonis, regarding the impact on business of Article 27, that we think that if controllers based abroad are routinely processing the data of people in the UK then it is right that they should be accountable and have a presence in the UK, because it is about trying to maintain the status quo as far as possible for individuals and not rolling back their data protection. The representative is a point of contact for the data subject as well as supervisory authorities such as the Information Commissioner.
I turn to the points made by the noble Lord, Lord McNally, about the complexity for organisations potentially subject to dual regulation. The point of this instrument was to ensure the minimum disruption to organisations and to data subjects by trying to retain the effect of the data protection legislation where possible. The relationship is absolutely changing but the instrument ensures that we can co-operate on an international level with not only the EU supervisory authorities but those in other countries; that is why we have kept Article 50 of the GDPR. Where he is right, and I accept that he is right in this, is that if we move away from the GDPR—if the UK GDPR moves away from the EU GDPR—that will have consequences for the adequacy decision that we hope to achieve, which will be reviewed by the EU Commission. It is important that the EU has confidence that our data protection regime is “essentially equivalent”, which is what the adequacy decision is based on. Anything that we do in future will have to bear in mind that our data regime is essentially equivalent so that it gives the EU confidence.
I agree with the noble Baroness, Lady Ludford, that in previous times there were elements that were outside EU competence that it could not look at, but now of course in an adequacy decision it will be able to look at those. Again, as it does in other adequacy decisions, it will look at the overall adequacy requirement and say whether or not it is essentially equivalent. That is why the adequacy decision is not immediate. Where we start in a good place compared to other regimes is that we have started with an equivalent regime to the extent that we have enacted the GDPR, which other third countries have not. We start on a level playing field in that respect.
The noble Baroness talked about the US privacy shield and the reason why we are going to lay another set of regulations. The discussions on the US privacy shield were ongoing when this SI was laid and therefore we could not wait. It was our priority to lay this SI so that we had an ongoing regime in the event of no deal. Now that that has been agreed between us and the US, though, another SI will be laid—it may even have been laid—to ensure that the US requirements continue, and I think that will happen very soon.
The noble Baroness asked about the EDPB’s recently published guidance on the implications of the UK’s exit. That guidance confirmed that, if the EU Commission does not make an adequacy decision in respect of the UK, EU firms will need to put in place alternative transfer mechanisms, such as standard contractual clauses to continue to transfer personal data to the UK.
The noble Baroness suggested that the political declaration only covered adequacy. That is not right: paragraph 9 addresses the free flow of data while paragraph 10 addresses regulatory co-operation.
The noble Lord, Lord Adonis, and the noble Baroness, Lady Ludford, talked about consultation. The difference between this SI and many others is that the Data Protection Act came into force less than a year ago; it was enacted after extensive discussions in this House and the other place, after the referendum discussion had taken place. Those noble Lords who participated in the Data Protection Act discussions, which lasted for many weeks, all know that matters such as data adequacy were raised numerous times. The whole purpose of the Act, and the mixture between regulations and derogations from regulations, was that we would be on as level a playing field as we could be when it came to getting an adequacy decision.
On the question of consultation, very recently stakeholders became aware of the GDPR—indeed, the whole country was aware of it eventually. There was a call for views and extensive parliamentary scrutiny. Before deciding how to implement the GDPR, we spoke informally with a wide range of stakeholders and were able to perform a broad understanding of different views. We then invited interested persons or organisations to give us their view—the call for views was from April to May 2017—and we received over 300 responses from individuals and organisations. That enabled us to achieve a fuller understanding of the potential impact of each of the specific exemptions in the Act. As I say, that all took place after the EU referendum result was known.
I have to reject the description of this by the noble Lord, Lord McNally, as a farce. The GDPR—I think every noble Lord knows this, whether or not they were involved in the Act—was extremely high in the public’s consciousness, not always positively. However, what we have ended up with because of that is a data protection regime that is the same as the EU’s.
I withdraw the word “farce”. However, while the Minister is putting great emphasis on the good fit between what he is proposing and the GDPR, the reason why that good fit exists, as I said in my remarks, is that the GDPR itself was massively influenced by British officials, who played a major role in its construction. What he is gliding over in his assurances is that if, as is likely, there are changes in the European GDPR in future then we will be coming, like the Norwegians, only to listen and accept—because, make no mistake, if there are changes in future, it will be massively in Britain’s interest to accept them. This is the loss of sovereignty that the whole process is trying to glide over. We will not have the same influence on data protection in future as we have had in the GDPR itself, which is why the fit is so comfortable at the moment.
Forgive me, but I would like to follow up on that. I really think the Minister is overselling what is in paragraph 9 of the political declaration. Last June, the Government issued a technical note about wanting a legally binding data protection agreement, and I described that earlier as a “Brexit in name only” kind of arrangement. They wanted that because there are,
“benefits that a standard Adequacy Decision cannot provide”.
Except for one sentence in paragraph 10 that talks about arrangements for appropriate co-operation between regulators, paragraph 9 is about a standard adequacy decision—no less but certainly no more. It talks about the European Commission recognising,
“a third country’s data protection standards as providing an adequate level of protection”.
It is not what the Government hoped for last June. I do not understand why the Government are trying to pretend. We can all read paragraph 9 once we have googled it and reminded ourselves, so to say that it is more than an adequacy assessment process is simply not true.
I understand the point from the noble Lord, Lord McNally, that our new position will not be the same as being in the EU. If we were a third country, I would expect us to have less influence than if we were a member of the EU. I am not denying that; it seems obvious. He is absolutely right that the GDPR was influenced by the UK, not only by officials in the negotiations but specifically by the ICO, which is regarded as one of the leading regulators in Europe. Of course, it will not have the same position as it did if we are not in the EU; I take that point.
However, I do not base everything on just the political declaration, which may or may not have some influence. It is also that we have retained Article 50 of the GDPR. I cannot remember the exact words, but it is on the basis of that that the EU talks about international co-operation with third countries, so there is a mechanism. As I said to the noble Lord, Lord McNally, it will not be the same, but there are bases for international co-operation. The EU wants that to happen and understands that in things such as data protection, you have to have an international consensus. In fact, on that, it is more important to go beyond the EU and do it internationally. Other organisations should—and do—take views on this. I think we are at the start of the journey on control of cross-border data flows and it will provide a further basis to influence behaviour.
On adequacy, it is easy to ask for detailed timelines on when this will take place. It will not take place on exit day, because it is not possible for the EU to give an adequacy decision unless you are a third country. Preliminary discussions—which, as the noble Baroness, Lady Ludford, has indicated, may take some time—could begin now and we are ready to begin those discussions as soon as we can. We are already liaising with the European Commission—in fact, senior officials were in Brussels for talks last week—and we have liaised with member states on this subject. When the EU is ready to begin discussions, we are confident that we will be ready, but it is impossible to say how long that will take because, as the noble Baroness said, it is not a decision that is in our gift.
However, we start from a position of regulatory alignment on data protection. We implemented the GDPR and the law enforcement directive. We have also taken a GDPR approach on data protection to areas that were outside EU competence, such as law enforcement and national security, so we start in a very good position. In fact, it is such a good position that the UN special rapporteur on the right to privacy declared that the UK now co-leads in Europe and globally on privacy safeguards, and has made significant improvements in its oversight system since 2015. He said that,
“the UK has now equipped itself with a legal framework and significant resources designed to protect privacy without compromising security”.
It is important to note that there is a strong mutual interest in data adequacy.
The noble Lord, Lord Adonis, said that it is unsafe to pass this SI. I would like to point out what that would mean, if it is not passed and we have a no-deal exit. It would mean that we would cease to have properly functioning data protection law. The whole basis for adequacy decisions, which I think we all agree is very important, would go, because we would not be on a reciprocal basis—
I am talking about data protection. We want a deal; I think everyone agrees on that. The question is whether going into a negotiation saying that is a good way to approach the negotiation.
As well as the basis for adequacy going, there would be no transitional arrangements to enable lawful personal data to transfer to the EEA. The noble Lord, Lord Adonis, is concerned about business expenses; for that reason, that would not be a sensible way of going forward.
On the adequacy decision which my honourable friend Margot James mentioned, I do not have her remarks before me, but I believe she said something about two years. I think what she meant was that other countries’ adequacy decisions have sometimes taken two years, but we see no reason for it to take two years in the UK’s case, because, as I said, we are equivalent. I think I have answered most of the points that noble Lords raised.
I apologise for interrupting the Minister again. He said we are now undertaking “preliminary discussions” about how this would be handled if we leave without a deal, but that these discussions “may take some time”—I think I heard him say that. Is he suggesting that, if we leave without a deal on
Yes, because it is literally impossible to have an adequacy decision until you are a third country. Therefore, you cannot have an adequacy decision in advance. What you can do, and I should have said preliminarily that we have been discussing this—I raised it over a year ago—is start the discussions with the EU, but the decision itself cannot be made before exit day. It is impossible.
There are mitigations which prevent that—standard contractual clauses and binding corporate rules. Plus, it depends a lot on the proportionate approach that the regulators in the EU take. There would be an impact; we would have to arrange mitigations, which would be a cost to business. That is what has been set out in the technical notice to business.
I am making a very good case for why we want a deal. As I have said several times, we want a deal.
I think I have been through most of the questions raised by noble Lords. The important thing about this statutory instrument is to have a fully functioning data protection regime. If we go back to the original reasons why we passed the Data Protection 2018 with a fair bit—a lot, I would say—of cross-party support, the reason that it is important is to give individuals protection for their personal data. We must bear that in mind. These regulations will preserve that protection for individuals and set us on the road to a successful conclusion of our adequacy agreement when we get to the stage where the EU will allow us to negotiate it. That is why I beg to move.