We need your support to keep TheyWorkForYou running and make sure people across the UK can continue to hold their elected representatives to account.Donate to our crowdfunder
I agree with the noble Baroness that, if we leave with a deal, that is a different scenario from leaving with no deal. That seems an obvious fact and it is why the Government are trying to leave with a deal, which is what the Prime Minister is trying to achieve. This is a no-deal exit SI to prepare for that eventuality. If we leave with no deal, the object of the exercise will be to preserve the GDPR standard of data protection, which this SI will do. To return to the point raised by the noble Lord, Lord Adonis—sorry, it might have been raised by the noble Baroness, Lady Kramer—the requirement to appoint one representative in the EEA is, as I said, a result of EU law.
I say again to the noble Lord, Lord Adonis, regarding the impact on business of Article 27, that we think that if controllers based abroad are routinely processing the data of people in the UK then it is right that they should be accountable and have a presence in the UK, because it is about trying to maintain the status quo as far as possible for individuals and not rolling back their data protection. The representative is a point of contact for the data subject as well as supervisory authorities such as the Information Commissioner.
I turn to the points made by the noble Lord, Lord McNally, about the complexity for organisations potentially subject to dual regulation. The point of this instrument was to ensure the minimum disruption to organisations and to data subjects by trying to retain the effect of the data protection legislation where possible. The relationship is absolutely changing but the instrument ensures that we can co-operate on an international level with not only the EU supervisory authorities but those in other countries; that is why we have kept Article 50 of the GDPR. Where he is right, and I accept that he is right in this, is that if we move away from the GDPR—if the UK GDPR moves away from the EU GDPR—that will have consequences for the adequacy decision that we hope to achieve, which will be reviewed by the EU Commission. It is important that the EU has confidence that our data protection regime is “essentially equivalent”, which is what the adequacy decision is based on. Anything that we do in future will have to bear in mind that our data regime is essentially equivalent so that it gives the EU confidence.
I agree with the noble Baroness, Lady Ludford, that in previous times there were elements that were outside EU competence that it could not look at, but now of course in an adequacy decision it will be able to look at those. Again, as it does in other adequacy decisions, it will look at the overall adequacy requirement and say whether or not it is essentially equivalent. That is why the adequacy decision is not immediate. Where we start in a good place compared to other regimes is that we have started with an equivalent regime to the extent that we have enacted the GDPR, which other third countries have not. We start on a level playing field in that respect.
The noble Baroness talked about the US privacy shield and the reason why we are going to lay another set of regulations. The discussions on the US privacy shield were ongoing when this SI was laid and therefore we could not wait. It was our priority to lay this SI so that we had an ongoing regime in the event of no deal. Now that that has been agreed between us and the US, though, another SI will be laid—it may even have been laid—to ensure that the US requirements continue, and I think that will happen very soon.
The noble Baroness asked about the EDPB’s recently published guidance on the implications of the UK’s exit. That guidance confirmed that, if the EU Commission does not make an adequacy decision in respect of the UK, EU firms will need to put in place alternative transfer mechanisms, such as standard contractual clauses to continue to transfer personal data to the UK.
The noble Baroness suggested that the political declaration only covered adequacy. That is not right: paragraph 9 addresses the free flow of data while paragraph 10 addresses regulatory co-operation.
The noble Lord, Lord Adonis, and the noble Baroness, Lady Ludford, talked about consultation. The difference between this SI and many others is that the Data Protection Act came into force less than a year ago; it was enacted after extensive discussions in this House and the other place, after the referendum discussion had taken place. Those noble Lords who participated in the Data Protection Act discussions, which lasted for many weeks, all know that matters such as data adequacy were raised numerous times. The whole purpose of the Act, and the mixture between regulations and derogations from regulations, was that we would be on as level a playing field as we could be when it came to getting an adequacy decision.
On the question of consultation, very recently stakeholders became aware of the GDPR—indeed, the whole country was aware of it eventually. There was a call for views and extensive parliamentary scrutiny. Before deciding how to implement the GDPR, we spoke informally with a wide range of stakeholders and were able to perform a broad understanding of different views. We then invited interested persons or organisations to give us their view—the call for views was from April to May 2017—and we received over 300 responses from individuals and organisations. That enabled us to achieve a fuller understanding of the potential impact of each of the specific exemptions in the Act. As I say, that all took place after the EU referendum result was known.
I have to reject the description of this by the noble Lord, Lord McNally, as a farce. The GDPR—I think every noble Lord knows this, whether or not they were involved in the Act—was extremely high in the public’s consciousness, not always positively. However, what we have ended up with because of that is a data protection regime that is the same as the EU’s.