Only a few days to go: We’re raising £25,000 to keep TheyWorkForYou running and make sure people across the UK can hold their elected representatives to account.Donate to our crowdfunder
Moved by Lord Stevenson of Balmacara
32: After Clause 37, insert the following new Clause—“Reporting of progress on achieving a data adequacy rulingAfter section 15 of the European Union (Withdrawal) Act 2018 (publication and rules of evidence) insert— “15A Reporting of progress on achieving a data adequacy ruling(1) A Minister of the Crown must, before
My Lords, Amendment 32 is in my name and I thank the noble Baroness, Lady Ludford, for her support. I am also pleased to see the new Secretary of State in her place. Although I think she will not respond to this debate, I am sure she is learning from the process and we look forward to further interactions with her in due course, not least the opening Question Time, which I see is now on the timetable—it should be fun.
This is a probing amendment, by which I seek to draw attention to two things. One is the importance of the personal data sector; that may not need to be said, but it is worth reminding ourselves of its importance. The other is the implications for our economy if the Government are unable to persuade the EU to agree a data adequacy decision within the tight timetable that we have. But I also want to raise concerns about the future of this sector in light of the Government’s plans for further changes to the law, some or all of which might reduce the chances of us obtaining a positive data adequacy outcome.
The facts are that 43% of EU tech companies are currently based in the UK and 75% of the UK’s personal data transfers are with EU member states. It is therefore vital that a data adequacy agreement is reached within the timescale proposed under the withdrawal agreement. But quite apart from the timescale, achieving a positive adequacy decision for the UK is not as uncontentious as the Government seem to think. For a start, any adequacy agreement requires the European Commission to consider a wide array of issues, such as the rule of law, respect for fundamental rights, and legislation on national security, public security and the criminal law in that country. As was pointed out during the passage of the Bill, the surveillance practices of the UK intelligence services may indeed jeopardise a positive adequacy decision tout court. But there are particular difficulties and it is worth reflecting on these.
Further modifications of the GDPR, as it was legislated for, are possible in the UK after Brexit using the powers in the European Union (Withdrawal) Act in areas such as rights, principles, definitions, powers of regulators, and fines. This means that the European Commission will have concerns on how secure the adequacy decision will be. Can the Minister say what guarantees will be under consideration in these areas? One problem with the UK’s version of the GDPR is that the Government resisted calls from this side of the House to include the recitals in the legislation. However, somewhat ironically, much of the ICO guidance on the GDPR is linked to the recitals and references are made to all of them. How will the Government square that anomaly whereby, after December 2020, those recitals will relate to the EU version of the GDPR but not specifically to the UK version? It has been argued that several of the exemptions in Schedules 2 to 4 to the DPA 2018 are not mirrored in other EU member states’ national data protection law, such as immigration and national security references, which might diminish the rights and freedoms of EU nationals in the UK. Can the Minister say how the Government will resolve this?
As was discussed at length during the passage of the Bill, the Investigatory Powers Act 2016 and the amount of bulk personal data collected routinely in the UK are generally accepted as a problem. Do the Government have any thoughts on how to address these issues? The status of codes of practice produced by the Secretary of State under the Digital Economy Act 2017 and the framework for data processing by government raises the question of whether the ICO is an independent regulator. Does the Minister accept that this may cause problems for the data adequacy ruling?
There are important provisions within the withdrawal agreement in relation to data protection over the transition period and I accept those. They include the fact that the GDPR and related EU privacy laws will continue to apply in the UK during that transition period and that there will be no immediate change in UK law on exit day. The UK must continue to interpret and apply the GDPR and related EU laws consistent with wider EU legal principles. The UK courts will therefore continue to apply decisions of the Court of Justice of the European Union and changes in EU law through the transition period, though presumably there will not be that many. The CJEU will continue to have jurisdiction in the UK, and decisions on the GDPR may be referred to the CJEU during the transition period.
We have all that as a base, but what happens if either we find that the EU will not grant an adequacy agreement or that it is significantly delayed? The current thinking is that impacted organisations—there will be a lot of them—will need to adopt specific legal safeguards to support the lawful transfer of personal data to the UK and that they will use standard sets of contractual terms and conditions, which the sender and the receiver of the personal data must both sign up to. But SCCs cannot be used to safeguard all transfers, and redress would of course be a civil and not a criminal matter in the courts, with all that that implies. The question is whether the Government have in mind to legislate to provide certainty for this possibility. Can the Minister comment on that?
The Government have ambitious plans, which we broadly support, to respond to increasing concern about the use and misuse of personal data, particularly as these affect children, but also including online trolling, fake news and undue influence on political issues. The Government are also considering how and in what way data companies are covered by competition and other regulations that apply to media companies.
We look forward to initiatives from the CMA and Ofcom and to seeing the online harms Bill, which is to introduce a duty of care approach to statutory regulation in this area, which will transform the legal position of the big tech companies from “platforms”—which they like to call themselves—and recognise that they are active media and information companies, with the broad societal responsibilities that this must entail. These changes in approach, desirable as they are, are bound to affect our current data protection regime. Can the Minister give us more detail and assure us that this work is not under threat and will not impact on our proposed data adequacy agreement with the EU?
I have listed rather a lot of questions, probably too many for this time of night, and I am quite happy to have a letter from the Minister if she would feel more comfortable with that, but I would like some general shape to her response before we let her go this evening. I have outlined a range of important issues which will impact on an important sector of our economy. If the Minister accepts the broad drift of this argument, will she also agree that there is substantial interest in the sector about this? It therefore follows that my amendment, probing as it is and calling for formal Statements and reports, would be of value to all concerned. I beg to move.
My Lords, I support this amendment, of which I am a co-signatory. I very much agree with what the noble Lord, Lord Stevenson, said, though I fear I might add a few questions for the Minister. As he said, free data flows across borders are an essential foundation of many key sectors of our economy, not just the tech industry as such but manufacturing, retail, health, information technology and financial services. It is vital that the free flow of data between the UK and the rest of the EU continues post Brexit with minimum disruption.
The European Union Select Committee, in its recent report on the revised withdrawal agreement and political declaration, pointed out that there was a lowering of ambition in the political declaration compared to what we have now as part of the EU’s digital single market. We have free flows, whereas the political declaration talks only about the “facilitation” of data flows. That is not the same as “freedom” of data flows. A host of organisations and the Information Commissioner have all persuasively argued that we need to ensure that our data protection legislation and practices are ruled as adequate. That is why it is so important that we get these regular reports and, as the amendment says, that we discover what the policy of HMG is if we do not have a data adequacy agreement after the end of transition.
We cannot take such a decision for granted merely because the GDPR more or less forms part of UK law. A major obstacle to an adequacy ruling is, of course, the bulk data provisions in the Investigatory Powers Act 2016, particularly in the light of the European Court of Justice decision in Tele2/Watson, the case brought by David Davis and Tom Watson over the legality of GCHQ’s retention and bulk interception of call records and online messages. That judgment ruled that UK mass surveillance laws breach the Charter of Fundamental Rights.
Just today there has been an opinion from the Advocate-General, the court’s legal adviser, who tends to get followed in 80% of ECJ cases, on a case which involves Privacy International, and a reference from the Investigatory Powers Tribunal. The Advocate-General has reinforced EU privacy law against mass retention and access to customer data by GCHQ, MI5 and MI6. I think this concerns provisions in Section 94 of the Telecommunications Act 1984. So we may get a second CJEU ruling, which will be problematic for any adequacy ruling given the very explicit requirements of Article 45(2)(a) of the GDPR, requiring the commission to consider
“respect for human rights and fundamental freedoms”, as well as
“national security … and the access of public authorities to personal data … and … international commitments”.
They will probably want to look at any potential transatlantic transfers agreed with President Trump.
It is already clear that many aspects of the Investigatory Powers Act fall short of satisfying the CJEU criteria. The purposes of retention are not limited to fighting serious crime, data retention is not targeted to what is strictly necessary, prior independent review or judicial authorisation is not required in all cases, and there is no provision for informing individuals.
What are the Government going to do in the area of the powers of intelligence agencies to satisfy the European Commission—and the European Parliament, where I had some experience of this, particularly in the era of the Edward Snowden revelations, when many in the Parliament were jumping up and down about GCHQ but there was nothing they could do about it while we were in the EU? Once outside, we actually get much stricter scrutiny about our interception practices than when we are inside; it is something of an irony, really. Then there is the problem about the exception for immigration data in the Data Protection Act 2018. The EU will no doubt closely monitor how the Home Office reviews settled status applications and whether data subjects can obtain full access to their personal data if there are disputes or problems about their status.
In addition, we discussed earlier today the accusation —it seems stronger than that—that the UK has illegally copied, and therefore misused, the Schengen Information System database by copying it into a national database and even sharing it with private companies. The commission report says that UK practices
“constitute serious and immediate risks to the integrity and security of SIS data as well as for the data subjects”.
That is another area where we are going to be under strict review. There is the trust issue, which we also discussed earlier today about the criminal records fiasco—I think one would have to use that word.
There are lots of questions and challenging reviews that the Government will have to answer in seeking data adequacy decisions. We need to know what steps they have taken so far to achieve this decision. Will they apply to continue to participate in the European Data Protection Board? What will they do if we get turned down for a data adequacy agreement? Anything else is second best. Have the Government thought through what their strategy will be if they do get refused? Will they change the legislation on handling personal data for national security purposes? Those are a lot of questions, but it is a very significant area of the negotiations with the EU 27. From past experience, I know that the European Commission will be very much on the ball— not least because of the eagle eye that the European Parliament will have on this area—so the Government have to be as well.
I thank the noble Lord, Lord Stevenson, and the noble Baroness, Lady Ludford, for this amendment, which seeks to add additional scrutiny to the data adequacy assessment process by introducing a bespoke statutory reporting requirement. It has certainly been very useful in drawing attention to the importance for both the UK and the EU of the UK pursuing and obtaining positive data adequacy decisions to enable the free flow of personal data after we exit the EU. It is also helpful that the noble Lord highlighted the success of our tech sector, which I thoroughly echo. I am sure that my noble friend the Secretary of State shares that view.
The free flow of personal data is an important feature underpinning the UK and the EU’s future relationship for economic and security purposes. The UK is currently a global leader in strong data protection standards, and protecting the privacy of individuals will continue to be a priority. The noble Baroness, Lady Ludford, referred to a lack of ambition. I do not think there is any lack of ambition on the part of the Government in this area. The Data Protection Act 2018 strengthened UK standards in line with the EU GDPR and law enforcement directive, providing a unique starting point for these discussions. The UK is ready to begin the adequacy assessment process and we are pleased that the EU has committed, in the political declaration, to the Commission beginning its assessment of the UK as soon as possible after our withdrawal, endeavouring to adopt adequacy decisions by the end of December 2020.
Before I try to answer some of the questions posed, I hope it will be helpful to touch briefly on some of the preparation that has been going on in government for the last two years for this eventuality. The Government established a data adequacy negotiation hub which sits within the Department for Digital, Culture, Media and Sport. It was set up early in 2018 and includes experienced experts in both data protection and negotiation. They are ready and waiting and keen to start negotiations with the Commission now.
This amendment would introduce a bespoke statutory reporting requirement, as we heard, covering the assessment period. However, as we heard very eloquently from my noble friend Lord Callanan earlier, there is a need for flexibility of reporting during what will be at times, I am sure, sensitive negotiations. While the Government are absolutely clear in our responsibilities to keep Parliament updated on that progress, and that obviously includes your Lordships’ House, we do not believe that such a rigid regime is appropriate. Obviously, both Houses have an array of tools at their disposal to scrutinise the Government, including through their Select Committees: I refer to the recent report of the Lords EU Committee, which scrutinised the revised withdrawal agreement and political declaration and concluded that the provisions on data protection were to be welcomed.
In this context, we believe there is no need for further bespoke reporting requirements for data adequacy, particularly as setting these out in legislation may have unintended consequences, as was discussed earlier this afternoon. I shall now try to address some specific points, but I am very grateful to the noble Lord, Lord Stevenson, for his offer that I might write to cover some of them.
In a sense, both noble Lords asked about the spirit which would underpin our approach to moving forward in these negotiations. Our aim is to try to find the right way to safeguard privacy while both promoting trade and innovation and protecting citizens from crime and terrorism. All those things are crucial to fully realising the opportunities from the data economy.
Both noble Lords asked how the Investigatory Powers Act might impact on our ability to achieve adequacy. We are confident of the standards included in that piece of legislation. We believe it provides unprecedented privacy, redress and oversight arrangements which I know both noble Lords have scrutinised in detail and which strengthen previous safeguards governing investigatory powers. Given the level of existing knowledge between ourselves and the EU of each other’s high data protection standards, we are very well placed to demonstrate that we meet and often surpass those standards.
I am sorry to interrupt the Minister, but the fact is that the CJU has condemned our regime under the Investigatory Powers Act. The European Commission will have to take account of that, so to say that we and the EU have common high standards is not entirely borne out by the facts. The CJU has criticised, in a full judgment, the Investigatory Powers Act. How will we cope with that in the search for data adequacy?
As the noble Baroness understands very well, the adequacy discussions will be broader than strictly personal data and data protection, and will cover these issues. It will be our role to explain to and convince the EU of that, which we are confident we can do.
Similarly in relation to immigration data, which the noble Baroness raised, we believe that there are some misunderstandings about how this provision works. Rather than going into that detail tonight, I can write to her on this. However, we are confident that the provisions included in the Act are fully compatible with EU law, although clearly we recognise that they will be closely scrutinised.
The noble Lord, Lord Stevenson, asked about the independence of the Information Commissioner’s Office. We believe that the ICO is a strong, independent and effective regulator and that its relationship with DCMS upholds that independence. We really do not have concerns that this will be an issue in relation to adequacy.
The noble Baroness referred to the opinion received today from the Advocate-General of the EU; as she said, the opinion is non-binding and the impact will happen only when we have the court’s judgment, although I note her comments on the probability of that. Since the opinion was published only a few hours ago, my officials are currently digesting it, so noble Lords will understand that our ability to comment on these proceedings is limited.
The noble Lord, Lord Stevenson, asked about recitals in the future UK GDPR which still include the EU terminology. Recitals are non-binding in both EU GDPR and future UK GDPR. They are there only as an aid to interpretation and we do not believe that the references to the EU will be confusing.
The noble Baroness, Lady Ludford, referred to the Schengen Information System. I understand that the House will discuss the UK’s access to several EU law enforcement databases on the next amendment. If she will permit it, I think it would be easier to return to that question then.
Both noble Lords asked what will happen if an adequacy decision has not been granted at the end of the implementation period. Obviously both sides have committed clearly, and it is an absolute priority, to make this work, but in the event that an agreement is not reached, the Government have already done a huge amount around no deal, working proactively to communicate companies’ responsibilities in this area—particularly in relation to smaller companies, which we know might find this more challenging. The Information Commissioner’s Office produced a portal to support organisations preparing the standard contractual clauses referred to by the noble Lord, Lord Stevenson.
I fear that time may not permit me to answer any more questions but I will endeavour to write and cover all the important points made. I hope that I have managed to reassure the noble Lord that, once adequacy discussions are under way, both Houses will continue to use all the available scrutiny tools at their disposal to ensure that they are absolutely appropriately informed on the Government’s data adequacy progress and policy. I hope that he will feel able to withdraw his amendment.
Before the Minister sits down, I hope that she can respond to one section of what I was asking about, on the interaction between existing responses to the data adequacy question and the new legislation that the department is working on. Does she feel that the new legislation as previously conceived—and, indeed, as set out in her party’s manifesto—is being progressed and that there is no adverse fallout from that?
My Lords, I thank the noble Lords who have contributed to this short but good debate. It was a robust response. I thank the Minister for the various points that she was able to cover and I look forward to her letter.
I did not raise it, but sitting a bit behind those on the Benches opposite is the question of why such a mess was made on the age-verification issues relating to children’s safety online. In a sense, that is why I asked about future policy in relation to where we were. This is a moving target. I do not want to be critical about this in any sense because it is right that we keep things moving and do not stick on where we were, in some sort of pre-Brexit mode. We must move forward. Life is changing, attitudes are changing and technology is moving forward at a huge pace.
We must be ready to anticipate that but it must not be at the expense of some hard-won decisions that were reached after a lot of debate. They were good decisions in relation to the Bill; both the Home Office and DCMS were heavily involved in them and I am sure that they are joined at the hip over this wonderfully named data adequacy hub. I wish it well in its future negotiations; I am sure that it is raring to go and that it will be very successful.
That leaves us with a bit of an information gap. Yes, the existing arrangements for getting information can be used, but they are never as efficient or effective as the Opposition want and are probably too frequent and difficult for the Government to respond to. How much better if we had a plan where we could say, “Every two months, you’re going to stand up and say something about it.” Perhaps we can make this work but I hope that this important issue is kept very much at the forefront of the department’s work, that there is an all-government response to this because it applies across the piece, and that we see something positive come from it. With that, I beg leave to withdraw the amendment.
Amendment 32 withdrawn.