We need your support to keep TheyWorkForYou running and make sure people across the UK can continue to hold their elected representatives to account.

Donate to our crowdfunder

Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 - Motion to Approve

Part of the debate – in the House of Lords at 4:30 pm on 18th February 2019.

Alert me about debates like this

Photo of Baroness Ludford Baroness Ludford Liberal Democrat Lords Spokesperson (Exiting the European Union) 4:30 pm, 18th February 2019

My Lords, first I have a couple of housekeeping questions which I hope are not too banal. I find considerable difficulty using the legislation.gov.uk website and its search function. Will the Minister ask his civil servants to check it out? Even if you search for “data protection 2019” under UK SIs, both the previous one and this are difficult to find. There was a 19 December version of these regulations, which were replaced in January. I must admit that I have not pored over every line of both to find the differences. Will the Minister explain why that was necessary?

Secondly, I want to ask about the absence of an impact assessment. Paragraph 12 of the Explanatory Memorandum states that:

“There is no, or no significant, impact on business, charities or voluntary bodies arising from this instrument”.

The pretext is that, while the Government recognise that:

“Data flows from the EEA to the UK may be restricted post-exit”— because, if there is no deal, we will be plunged into a situation where there is no legal framework and no adequacy decision—

“that is as a consequence of the UK leaving the EU, not as a result of this instrument”.

That is the justification for having no impact assessment. However, if we left with a withdrawal deal and a transition there would be a legal framework, so this instrument, which provides for both a no-deal scenario and one in which there would be no adequacy decision, surely merits an impact assessment as well as the consultation to which the noble Lord, Lord Adonis, referred.

As the ICO has made clear, and as has been mentioned already, businesses may have to deal both with the ICO and with European data protection authorities in every EU and EEA state where they have customers. They may need a European representative if they process the data of people resident in the EEA or have customers in the EEA. There would be additional complexity if they had to comply with both the GDPR and the UK GDPR. They could face concurrent legal claims in both the UK and the EEA. Will the Minister amplify the justification for having no impact assessment? Data flows are crucial to many businesses, not just the tech industry—there is hardly a business or other organisation that they do not affect—so the rather blasé claim that no impact assessment is needed is not justified.

I am a bit confused—it may just be my lack of understanding—about the situation regarding EU adequacy decisions on third countries. Paragraph 2.8 of the Explanatory Memorandum says there will be,

“incorporated into UK domestic law … EU decisions on the adequacy of third countries and on standard contractual clauses, both of which are relevant for … international transfers”.

Paragraph 2.13 says:

“It will not be necessary to retain the EU decisions on adequacy and standard contractual clauses … so these are revoked by this instrument”.

If I have understood the Minister’s presentation, this is explained by the fact that we are recognising and incorporating past EU adequacy decisions, but that in the future, in a no-deal scenario, the UK will take over that function: I venture to suggest that that is not very clearly explained in the Explanatory Memorandum.