EU Data Protection Rules
I am grateful for tonight’s opportunity to consider the implementation of the European Union data protection rules, and I look forward to a robust and constructive response from the Minister.
Let me start by stating the obvious: the way we send, receive, collect, analyse and use data has been transformed in the last few decades, and that transformation is only going to become more marked as time goes on. It is truly amazing that around 90% of global data that exists today was created in just the last two years, and that amount is predicted to grow year on year for the next decade. I was staggered to learn recently that Transport for London record 4.5 million pieces of information about bus movements every single day—a very far cry from the old days of clipboards and manual counters.
Of course, significant opportunities are presented by the growth of big data, a term which refers to the growth of large, complex data that can be analysed to provide valuable new insights and personalised services. Yet as our lives become increasingly digitised, the growth of big data has equally big implications for privacy and consequently very big questions for policy makers regarding how we should most appropriately regulate this digital revolution to protect the rights of the individual without stifling the flexibility to innovate.
Of course, the vote to leave the European Union has created a much more uncertain context within which we are approaching this complex issue, with the UK’s data protection rules closely intertwined with EU law. As I will argue in a moment, it is vital for the UK to have a strong data protection system that is in line with EU standards. We need to be part of a strong, open digital economy across Europe, which will be critical if we are to remain globally competitive. As Tech UK has pointed out, and I thank it for its assistance in preparing for this debate:
“As the leading digital economy in Europe, the UK has the most to gain, and conversely the most to lose, from the European data protection landscape.”
Whatever our future relationship with Europe, information will have to flow freely if we want to remain part of the growing global digital economy. I should declare, in passing, that I chair the recently established all-party group on data analytics, which is looking at the issues surrounding the growth of big data.
Let us move on to some history. The basis of EU data protection law is the 1995 data protection directive, which was implemented into UK law by the Data Protection Act 1998. Member states across the EU, however, have implemented the 1995 rules differently, resulting in divergences in enforcement—and, of course, the world has changed dramatically over that time. So in January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU. After more than four years of deliberations, the general data protection regulation was agreed by the European Parliament in April 2016. The GDPR aims to strengthen consumer protection and enhance trust and confidence in how personal data is used and managed, giving citizens more control over their own private information. It will replace existing legislation that has been in place since the mid-1990s, which in the UK means superseding the Data Protection Act.
The new regulation entered into force on 24 May 2016. As a regulation, it will directly apply to all European Union member states from 25 May 2018; there will be no need for new national legislation. The new data protection directive also entered into force in May, with EU member states required to transpose it into their national law by May 2018. European Commissioners called the GDPR an
“essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market…The Directive for the police and criminal justice sector protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities”
and will especially protect the personal data of victims, witnesses and suspects of crime.
Data protection is ultimately underpinned by the European Union’s charter of fundamental rights. The right to the protection of personal data is explicitly recognised by article 8, which guarantees the right to respect for private and family life, home and correspondence. Data protection is a highly developed area of European Union law—indeed, some describe the free movement of data as a fifth freedom. Given all that, what could Brexit mean for data protection in the United Kingdom?
It is encouraging that the Government have confirmed that the GDPR will still apply to the UK from May 2018. Ministers have stated this on a number of occasions, and I am confident that the Minister for Digital and Culture will do so again today. The Secretary of State for Culture, Media and Sport has said:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
The Minister for Digital and Culture has said:
“the Data Protection Act 1998…provides for very strong safeguards that are set to get stronger. The Government have said that we will opt in to the forthcoming general data protection regulation, which includes stronger enforcement measures than the current Data Protection Act.”—[Official Report, 28 November 2016; Vol. 617, c. 1277.]
It is clear that the Government plan that the GDPR will apply in the UK from May 2018, presumably because, as the Secretary of State said, in 2018 the UK will still be a member of the EU. But what about after we leave?
Very little has been said about what data protection law in the UK will look like after that point. In fact, the Minister for Digital and Culture has said that there may be
“changes to data protection regulatory landscape after the UK exits the European Union.”—[Official Report, 7 November 2016; Vol. 616, c. 36WS.]
That point is particularly significant because the GDPR will apply directly, without needing to be transposed into national legislation, so when the UK leaves the EU our main data protection law will still be the Data Protection Act 1998, which is now not fit for purpose.
The Digital Economy Bill and the Investigatory Powers Act 2016 were introduced with little mention of how they would adhere to the GDPR. Unless the GDPR is transposed into national legislation, our country’s main data protection law post-Brexit will be the outdated Data Protection Act. This matters, because without the new protections, UK citizens are vulnerable. Government research shows that nine out of 10 organisations have suffered data breaches, but the vast majority are under no obligation to report incidents. Falling back on the old system will not be good enough; we need to be moving forward into the 21st century in data protection, not backward into the last century. A further very real question mark hangs over the future implementation of the GDPR because of the Digital Economy Bill. Big Brother Watch has suggested that part 5 of that Bill fails to show how the legislation will adhere to the GDPR—indeed, the Bill refers to adhering to the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000, but both pieces of legislation are now out of date.
The Information Commissioner pointed out that when the GDPR takes effect in the UK,
“The government will have to introduce national level derogations as part of implementation”,
so there will have to be
“a thorough consideration of the impact of the new legal framework on all aspects of the Bill affecting data sharing”.
The Open Rights group says that the GDPR
“should be looked in more detail”
“Since the vote to leave the European Union we simply do not know what data protection regime will be in place when the Digital Economy Bill becomes law, and we fail to see how in this context Parliament can satisfy itself that the Bill will balance the needs of government with the privacy of citizens.”
It certainly seems illogical that this Bill should have been introduced with no reference to the GDPR when it will have to adhere to the GDPR in less than two years.
It is vital that the UK maintains data protection rules in line with EU rules after Brexit if we want to remain a major player on the digital stage. Many businesses and services operate across borders, and international data flows are essential to UK business operations across multiple sectors. In fact, half of all global trade in services already depends on access to cross-border data flows. There is a risk that after Brexit the UK may be treated as a “third country” on data protection issues. That is because the recently adopted Investigatory Powers Act is currently a UK competence, but that will not be the case once we are out of the EU. In a perhaps exquisite irony, we would find our legislation being judged against the standards of the GDPR. We would be a third country and could be required to come to what is termed an “adequacy decision” with the EU to allow data to flow freely between the United Kingdom and EU member states and to enable trade with the single market on equal terms.
In order to adopt an adequacy decision, the European Commission must be satisfied that a third country offers an equivalent level of data protection. A number of commentators fear that the recent Investigatory Powers Act means that the Commission may take some convincing. The risk is that such negotiations could take years to resolve, leaving protections for UK citizens in the meantime weak, as well as hugely disadvantaging the crucial tech sector, one of our great success stories. How easy it would be for our competitors in mainland Europe then to say to people, “Move here, where you can be inside the system. Don’t stay outside in the cold.”
Ministers should be working to ensure that our data protection rules are strong enough to secure an EU-UK adequacy decision, which will be vital to underpin trade rights across the digital economy. That is what we need, but as with the rest of the Brexit negotiations, we are in the dark, unless the Minister can shed some light this evening. Will he tonight confirm that the Government will prioritise guaranteeing international data flows post-Brexit during negotiations?
The Information Commissioner has also stated that, with so many businesses and services operating across borders,
“international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”
Will the Minister also confirm that the Government are seeking to secure an EU-UK adequacy decision? It is worth noting in passing that the last adequacy decision, with New Zealand, took more than three years to negotiate.
Data are the currency of the digital economy and we must not shy away from the broader challenges and opportunities this presents. The data landscape is shifting and legislation must keep pace if we want to protect citizens’ rights while simultaneously tapping into the potential offered by the internet of things. If we want the UK to remain at the forefront of the digital revolution, our data protection legislation must remain at least equivalent to European Union rules. As the Information Commissioner has succinctly said:
“I don’t think Brexit should mean Brexit when it comes to standards of data protection.”
The danger is that, to paraphrase, when it comes to data, Brexit could mean exit for tech.
The Government should champion the GDPR as a starting point for a comprehensive examination of how we can make better policy on big data. I hope the Minister will tonight provide further reassurance that the Government recognise the strategic and economic value of data for our country, as well as the importance of facilitating public confidence in how data are being used, and are consequently putting data, and data protection, at the heart of their negotiations.
It normally says at the start of a Minister’s speech in response to an Adjournment debate, “Let me start by thanking the hon. Member for securing this important debate,” and this time I really mean it, because this is an important subject. Although the hon. Member for Cambridge (Daniel Zeichner) and I sit on opposite sides of the House, we have a similar interest in the subject and want to go in a similar direction in terms of the data protection regime that applies in the UK. We also share a common understanding of the value of data in a digital economy.
That does not surprise me, because the hon. Gentleman is not only an expert in his own right, but as MP for Cambridge he represents one of the most data-rich constituencies in the country. It is very good to see continuing investment in tech companies in Cambridge, including after 23 June. In fact, one of the biggest foreign investments in any British company ever was the investment in ARM Holdings based in Cambridge in July this year. That was a vote of confidence in British tech post-referendum, and since then we have seen investment decisions intrinsically based on the strength of our data systems, by companies such as Google, Facebook, Apple, Microsoft, IBM and others, all of whom have made significant investment decisions into the UK post-Brexit. We have been clear that the general data protection regulation will apply in the UK from May 2018. We fully expect still to be in the EU at that point. That is why we have announced that we will ensure that the GDPR will apply in the UK from then.
The information rights landscape has evolved rapidly in the past decade, as the hon. Gentleman set out. The ability to collect, share and process data is critical to success in today’s digital global society. It is right to update our data protection regime not only because we will still be in the EU, but because it is time to update it, given the enormous changes that have taken place.
We were clear in the negotiations on the GDPR that any new data protection legislation needs to meet the need for high standards of protection for individuals’ personal data while not placing disproportionate burdens on businesses and organisations. The UK was successful in negotiating a more risk-based approach to the GDPR, allowing for greater flexibility in relation to the regulation’s mandatory requirements, such as on data protection impact assessments and data protection officers. We want a scheme that works effectively, protects data and is flexible to ensure that our data economy thrives. Therefore, we were successful in negotiating a reduction in some of the red tape and bureaucracy for ordinary businesses whose primary activities are not data processing but who have data that need to be protected. We succeeded in the negotiations to give greater discretion to the UK’s Information Commissioner in the way it enforces breaches of the regulation.
The new rules will strengthen rights and empower individuals to have more control over their personal data, for example, by providing individuals with greater access to their personal data and information on how their data are being used, and a new right to data portability, making it easier to transfer personal data between service providers. In addition, the GDPR provides important new safeguards, including new fines of up to 4% of an organisation’s annual global turnover, or €20 million, in the most serious cases of breaches of the regulation. Therefore, this is an important call to action for businesses to offer individuals assurances that their data are protected.
The hon. Gentleman asked a series of questions about the implementation of the GDPR. We now need to press ahead with implementation. It will become directly applicable in UK law on 25 May 2018, but a lot of preparatory work needs to be done in the meantime, both in government and by businesses throughout the country. We are now working on the overall approach and the details of that implementation. Details of any new legislation in this area will be made in due course and announced in the normal way, but I can tell him that we are considering these matters in great detail as we speak.
It is important for businesses and organisations to prepare now for the new standards of data processing. A lot of work has already taken place, but there is much for businesses to do to ensure that their processes and practices are aligned with the GDPR. The Information Commissioner is providing regular updates on the steps that organisations and individuals should take to prepare for the new legal framework and will continue to provide guidance over the next few months. We plan to consult with stakeholders on key measures where we have the opportunity to apply flexibilities, which the hon. Gentleman mentioned, in the regulation to maximise and to protect our domestic interests and to get the balance right between delivering the protection that people need and ensuring that the regulation operates in a way that ensures that the UK’s data economy can be highly successful. For example, one measure will be on what the age of consent should be for children who wish to access information services. We want a data protection framework that works best for the UK and meets our needs. Those consultations will be forthcoming.
The hon. Gentleman also asked about the issue of adequacy and the need for our data protection regime to be interoperable with data regimes around the world. It is a question of our data relationship not only with the European Union, but with other countries, too, because the data economy is truly global. We have made progress in our argument within the EU that data localisation rules are not appropriate. That is a live issue in the EU at the moment. There is also work to be done between now and 2018 to make sure that we achieve a coherent data protection regime and that data flows with the EU are not interrupted after we leave. The Government are considering all options for the most beneficial way of ensuring that the UK’s data protection regime continues to build a culture of data confidence and trust that safeguards citizens and supports businesses in a global data economy.
Without having been able to prejudge the publication of consultations and of legislative plans, I hope that I can reassure the hon. Gentleman and the tech industry in the UK that we are doing all we can to ensure that our future data standards are of the very highest quality, including their international links, and that we get the balance right between ensuring the high levels of protection that individuals and companies need and ought to expect with the appropriate levels of flexibility to make sure that our data economy can be one of the strongest in the world.
The Minister is making a deft response and I am listening closely to him. Could he say more about the impact of the Investigatory Powers Act 2016, which has been raised, and the difficulty that it might present to achieving an adequacy agreement?
I was about to come on to that issue, which was raised in the Digital Economy Bill Committee. The Bill includes important data-sharing arrangements, supported by the Labour Government in Wales, to improve public services and other things by ensuring that data are appropriately shared. Those sharing arrangements will still be protected by the data protection regime. The Bill is drafted according to the current law, which is the Data Protection Act. It is not possible to draft legislation in anticipation of future legislation; that is not how the body of legislation works. If and when legislation is proposed to amend an existing system such as the Data Protection Act, one would expect it to include an amendment to the Digital Economy Bill, should this Parliament enact it, in order to make it consistent. That is how legislation is made in the UK. It is neither possible nor logically sensible to legislate in anticipation of future legislation, even if we fully expect it to come into force. All of the existing statute and the Digital Economy Bill, which is currently before the other place, are drafted with reference to the existing regime because the Bill will come into force before the expected future regime comes into existence in 2018.
That explanation may have been more convoluted than it needed to be, but I hope it shows why the Bill—and, indeed, other recent legislation—is drafted in that way. I have heard the complaints, but they simply miss the point of how legislation is made and framed. I hope that that answers the hon. Gentleman’s question and that he is reassured that we are working to implement a modern and effective data protection framework, fit for purpose for the digital age. I welcome his input.
Question put and agreed to.
Motion made, and Question proposed, That this House do now adjourn.—(Guy Opperman.)