The Committee consisted of the following Members:
Chair: Mr Nigel Evans
† Afolami, Bim (Hitchin and Harpenden) (Con)
† Baker, Mr Steve (Wycombe) (Con)
† Byrne, Liam (Birmingham, Hodge Hill) (Lab)
† Docherty, Leo (Aldershot) (Con)
† Elmore, Chris (Ogmore) (Lab)
† Foster, Kevin (Torbay) (Con)
† Freer, Mike (Lord Commissioner of Her Majesty's Treasury)
Grogan, John (Keighley) (Lab)
† Hoare, Simon (North Dorset) (Con)
† James, Margot (Minister for Digital and the Creative Industries)
† Knight, Julian (Solihull) (Con)
† Latham, Mrs Pauline (Mid Derbyshire) (Con)
† Smeeth, Ruth (Stoke-on-Trent North) (Lab)
† Spellar, John (Warley) (Lab)
† Streeting, Wes (Ilford North) (Lab)
† Western, Matt (Warwick and Leamington) (Lab)
† Whitford, Dr Philippa (Central Ayrshire) (SNP)
Dominic Stockbridge, Committee Clerk
† attended the Committee
Sixteenth Delegated Legislation Committee
Thursday 14 February 2019
[Mr Nigel Evans in the Chair]
Draft Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019
I beg to move,
That the Committee has considered the draft Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019.
It is a pleasure to serve under your chairmanship, Mr Evans. Much of our current data protection framework derives from EU measures—namely the General Data Protection Regulation and the law enforcement directive—over which our Information Commissioner’s Office and UK civil servants have had considerable influence.
When the UK leaves the EU, the GDPR will no longer have direct effect on our law. It will however be retained in domestic law through the European Union (Withdrawal) Act 2018. A number of deficiencies will arise in this as a result of our leaving the Union. The purpose of the draft instrument is to ensure that UK data protection law continues to be operable after exit, and that the protections for data subjects and the obligations on data controllers and processors remain in place after we have left the European Union.
Does the Minister envisage the Government and, indeed, Parliament taking the opportunity to deal with some of the ludicrous interpretations of GDPR legislation, which lead to massive amounts of bureaucracy in both the public and private sectors?
The right hon. Gentleman makes a valid point. I do not think that it pertains to this particular statutory instrument, but I am sure that if he requested a debate on those important matters, he would find a ready audience of hon. Members to participate in it.
Many of the changes made to the GDPR by the draft regulations are minor or technical, and replace European Union-related terminology with UK equivalents. In my remarks, I will cover a number of more complex issues relating to international transfers of personal data, extraterritorial application of the UK GDPR, regulatory co-operation, and our approach to what is known as “applied GDPR”.
On international transfers, the GDPR and part 3 of the Data Protection Act 2018 restrict the transfer of personal data to third countries, unless certain safeguards are met. One of those safeguards is a third country, or a sector within the country, being deemed “adequate” by the European Commission. If deemed “adequate”, data can flow freely to that country or sector. In the absence of an adequacy decision, data can still be transferred, but the onus is on controllers to make sure that alternative safeguards are in place to provide sufficient levels of protection.
The Commission will not be able to make adequacy decisions on behalf of the UK post exit. The regulations transfer that function and the function of preparing model contractual clauses to the Secretary of State. To minimise any disruption to established data flows from the UK to the EU post exit, the regulations add a number of transitional provisions to the 2018 Act. That includes a provision to continue to treat EU member states, other European economic area countries and Gibraltar as adequate in relation to processing under the UK GDPR.
Similar provision is made for personal data transferred to third countries for law enforcement purposes under part 3 of the Data Protection Act 2018. That permits transfers to third countries where the European Commission has found a country, territory or sector adequate under article 36 of the law enforcement directive. For law enforcement processing covered by part 3 of the 2018 Act, EU member states and Gibraltar will be treated as adequate to preserve the flow of critical law enforcement data to those places.
The provisions included in the regulations will allow UK businesses to continue to transfer data to their partners in the EU without any interruption. We propose to adopt a similar approach for countries that had been deemed adequate by the EU Commission by the time the draft regulations were laid before Parliament. That includes the EU’s decision on companies participating in the Privacy Shield scheme in the United States. Further regulations will shortly be introduced to clarify that personal data can be transferred only to those US companies that have updated their Privacy Shield commitment to include the UK.
The draft regulations do not refer specifically to the EU’s adequacy decision in relation to Japan, which was made after they were laid before Parliament, but we will work with the Japanese Government to consider what, if anything, is required in our domestic law to reflect that development. Where UK organisations rely on standard contractual clauses approved by the EU Commission as an adequate safeguard for transfers to other third countries, further transitional provisions will mean that they can continue to rely on those contracts.
Let me outline the draft regulations’ approach to the extraterritorial provisions in the GDPR. The GDPR applies not only to data controllers based in the EEA, but to data controllers based outside the EEA processing EEA data for the purpose of providing goods and services or monitoring individuals’ behaviour. Where a data controller outside the EEA is systematically processing data of EEA residents, it is required to appoint a representative in the EEA to act as a contact point for EEA supervisory authorities. To ensure that there will be no dilution in data protection standards when the UK leaves the EU, the draft regulations preserve the GDPR’s extraterritorial approach. In practice, that means that the UK GDPR will apply to certain data controllers based outside the UK that are processing data or monitoring the behaviour of data subjects in the UK. We have preserved article 27, which requires data controllers and processors based abroad who are systematically processing the data of people in the UK to appoint a representative in the UK.
Let me turn to regulatory co-operation. Articles 60 to 76 of the GDPR focus on how supervisory authorities in the EEA will work together to investigate data breaches that might affect people in more than one country. They also make provision about the supervisory authorities sharing guidance and best practice through the European Data Protection Board. If the UK leaves the EU without a deal, there will be no automatic right for the Information Commissioner to sit on the EDPB or participate in the GDPR’s one-stop-shop mechanism, so those provisions have been omitted from the UK GDPR. Even with a deal, the automatic right for the Information Commissioner’s Office to sit on the EDPB is not yet assured.
The draft political declaration makes it clear that the EU and the UK should continue to collaborate on data after we leave the EU. The draft regulations will retain article 50 of the GDPR in our law, ensuring that EU and UK data protection authorities will have a common basis for developing international co-operation mechanisms.
I will now outline what our exit from the EU might mean for “applied GDPR”, as provided for by the Data Protection Act. The Act creates a separate regime that provides for standards broadly equivalent to the GDPR to apply to processing activities that are outside the scope of EU law and not covered by parts 3 or 4 of the Act. As a matter of domestic law, the GDPR will not apply directly to any general processing activities when we leave the EU, so we can simplify matters by recreating a single regime for all general processing activities, including those that were previously covered by the applied GDPR. Provisions in the Data Protection Act that created or referred to the applied GDPR have therefore been removed from all relevant legislation. The draft regulations make it clear that the new single regime covers matters outside the scope of EU competence prior to the UK’s departure from the EU. The existing exemptions relating to national security and defence in the applied GDPR will be retained in the merged regime to ensure that the intelligence community can continue to carry out its vital work.
As I have set out, our approach is an appropriate way of addressing the deficiencies in data protection law resulting from the UK leaving the EU. I commend the draft regulations to the Committee.
It is a pleasure to serve under your chairmanship, Mr Evans. The draft regulations are a wise precaution, although it is slightly ironic that Her Majesty’s Government are presenting us with what is basically a foundation stone for the permanent customs union and free trade agreement on data that we have been advocating for the United Kingdom in the round. I look forward to Government Members, including the hon. Member for Wycombe, presenting a united front this morning on laying this important foundation stone for a critical part of our customs union with our nearest neighbour.
The draft regulations are a wise precaution because 43% of tech companies in Europe are based in our country and three quarters of our cross-border data flows are with our European neighbours. In introducing them, the Minister is dramatically constraining this country’s ability to strike free and unfettered trade agreements with other countries around the world, because on the critical issue of data, she is locking us into the European Union’s provisions. The Opposition fully support that approach, but we have five important questions for her to answer. The draft regulations are just one piece of the jigsaw, so it is difficult for us to sign them off without having due regard for the full picture of regulation required.
Regulation 8 will write into UK law a derogation from GDPR rules on age. As the Minister knows, the GDPR gives countries latitude to lower from 16 to 13 the age at which consent is deemed to have been given; she is now writing the 13 limit into UK law. During the passage of the Data Protection Act, the Opposition were not particularly comfortable with that approach, which she is asking the Committee to sign off before presenting her much anticipated White Paper on internet harm. Since she is asking us to sign off a derogation that will lower the age of consent to 13 before we know what legal provisions will safeguard our children against bad social media firms, perhaps she could say a little more about whether Her Majesty’s Government agree with the duty of care architecture that we proposed before Christmas.
Furthermore, the draft regulations will be meaningless unless the Information Commissioner has the resources to enforce them. The Minister managed to get through her speech without saying anything about the additional resources that the commissioner will enjoy in order to enforce such a critical part of our regulatory architecture. Nor did she say anything about whether the draft regulations will increase our chances of getting an adequacy agreement with the EU, about whether they will accelerate the timetable for getting such an agreement, or about her Department’s contingency plans in case there is no adequacy agreement.
The Opposition broadly support the draft regulations; indeed, we think that a permanent customs union for data should be replicated across the piece for UK trade with the European Union. However, the Minister has important questions to answer before we can give the draft regulations our consent.
It is a pleasure to serve under your chairmanship, Mr Evans. Obviously, we are rushing through hundreds of statutory instruments because of the threat of no deal and of exiting the EU in a rush in just over 40 days. Data flow is absolutely critical, not just for tech companies, but for how the public sector—or indeed, everything—functions. Getting it right is therefore critical.
I recognise that this has to be done, although it is disappointing that it is being done in a rush, because the public’s concern is about the flow of their personal data and whether it is maintained in a private fashion and protected. An issue that has been raised with me by EU citizens who have looked at applying for settled status is that in the small print at the end, it says that their data may be shared with public or private organisations in the UK or outside. It does not state who on this planet their data cannot be shared with—that might actually be a shorter list. That raises real concern because it is important data to do with their identity, background and HMRC records. It is important that people’s data is protected.
I recognise that the SI corrects paragraphs 76 and 201 of schedule 19 to the Data Protection Act 2018, but the key, as the Minister highlighted, is international transfer. The European Commission has carried out adequacy assessments on third countries, maintained ongoing monitoring and issued standard contractual clauses where protections are not sufficient. It has also monitored and supported that process on an ongoing basis. The Minister’s reference to Japan’s agreement, which was made after this draft instrument was laid, raises one of the key questions going forward: how will this be kept up to date as things change with the EU? We are talking about a massive recreation and duplication of that effort. Huge multinational companies transfer our data elsewhere in the world, and binding corporate rules and whether that data remains protected is another issue that concerns people.
All that will be put on the shoulders of the Secretary of State and the Information Commissioner. I echo the shadow Minister in querying the cost of this and how that cost will be covered, whether from businesses or from taxpayers. The explanatory memorandum mentions that the Government are looking to maintain data flows from the UK to the EU, but nothing in the draft instrument can compel data flows from the EU to the UK. Data flows are a two-way transfer. The loss of the commissioner’s position on the EDPB is significant.
Whether statutory instruments deal with drugs, blood products or medical devices, the sharing of information in both directions has been for the benefit of all our constituents. How will the new regime work going forward? How it will be funded? How will we ensure that we do not end up with gaps in data that expose us to dangers in the future?
It is an absolute joy to sit on the Committee, as I was the Minister on the European Union (Withdrawal) Bill Committee. I congratulate the Minister and officials on the excellent explanatory memorandum, particularly part 2, which sets out the appropriateness statement and so on, in compliance with the European Union (Withdrawal) Act 2018. It is therefore a real joy to have the opportunity to serve on the Committee and I am grateful to be able to make a few remarks.
I was slightly amused by the Opposition spokesman’s remarks about a “data customs union”. I will not rise to that one, as much as he may wish me to—what an amusing hour we could spend. The principle of continuity is crucial and has underpinned all our work. Clearly, it is right that the country should be ready to leave the European Union with or without a deal. I should say “in the unwanted circumstances of leaving without a deal”; Conservative MPs of all persuasions are overwhelmingly united in wishing to leave the European Union with a deal, but it is quite right that we should be ready for all circumstances, which is what the draft instrument before the Committee addresses. I just heard somebody say, “made a change”. I can only think of one Member of Parliament who positively does not want a deal. We would all prefer to leave with an agreement.
It is in our mutual interests that data exchange continues after our exit. It would be absurd were it not to from the current point of alignment. Today is not the day for churlish criticism of the bureaucracy of how the GDPR works; it is a day to welcome the Government’s preparation for leaving, with or without a deal, and to say well done to a Minister who I suspect would have preferred not to leave the European Union. I pay tribute to her and to all Ministers right across Government, who, with great talent and determination, have risen to the challenges of preparing this country for our exit, whether they supported the referendum result or not. I say a huge “thank you” to the Government. It is a great privilege to serve on the Committee.
I thank hon. Members for their questions and comments. I will do my best to respond to them. I agree with the shadow Minister that the draft regulations are a wise precaution. He rightly mentioned that three quarters of our country’s international data flows are with other European Union member states. That is of course even more than the average for exports of other things, notably manufactured goods, which are almost 50% of our global trade.
I do not know whether the shadow Minister is concerned that, by locking into the GDPR, we will jeopardise our ability to strike trade deals with other countries. In previous debates, I have assured him that it is the Government’s intention that we continue to enjoy the benefits of the privacy and data rights that the GDPR has given British nationals, and we would not want to see those rights compromised by any trade deal in the future. The GDPR is becoming a gold standard for privacy and data rights globally—it is causing rising envy, certainly in the US.
The shadow Minister mentioned the age of consent, which is set at 13 in the Data Protection Act. That relates to the rights of young people to open accounts online. We have not reduced that age; we have set it. We set it within the band that the GDPR permits member states to set it. We were not alone in choosing 13; at least five other member states also set the age of digital consent at 13. He raised concerns, which I share, about some of the risks to young people online. We intend to address those through the White Paper we will publish shortly. I thank him and his team for the suggestions they have made to us over the past six months about what that White Paper should contain.
The shadow Minister asked about adequacy. He knows that we cannot guarantee adequacy, because it is in the EU’s gift rather than ours, but we have made it clear to the EU that we are ready to commence adequacy discussions just as soon as it is ready. We have had an indication from the Commission that, as long as we leave with a deal, it will be ready to start those discussions immediately. Given that we will be fully compliant at the moment of departure, it is highly likely that we will be able to conclude those discussions at the shorter end of the spectrum of times that adequacy discussions with third countries have taken in the past.
The shadow Minister asked about the contingencies we are making in the event of no deal. The ICO and officials in my Department have been working closely together, and the ICO has published approaches for both the public sector and industry in terms of the reach of the standard contractual clauses that will form a legal basis for transferring data in the event that we do not have an adequacy decision. Of course, if we left without a deal, we would not have an adequacy decision.
The hon. Member for Central Ayrshire asked whether EU citizens in her constituency and elsewhere in Scotland will continue to enjoy the same data rights and privacy. I can assure her that they will. They will have those rights as long as we leave with a deal. EU citizens’ rights are enshrined in the deal, and they will enjoy exactly the same provisions as citizens of this country, assuming we get that deal and implement these regulations. The regulations will preserve the GDPR’s extraterritorial approach in UK law.
Will the Minister therefore clarify—I understand that she might not be able to do so at this moment—why there is no reference to GDPR protection in the small print of the settled status scheme, other than a bald statement that people’s data can be shared pretty much with anybody?
I will write to the hon. Lady with any clarification I can provide to give her the comfort she seeks. I do not have that precise information to hand, and I was not aware of the issue, but of course I will write to her.
Both the hon. Lady and the shadow Minister raised the issue of resources. We took a statutory instrument through last year that provided the ICO with a substantial increase in its budget and its ability to hire people, including experts. The ICO has added considerably to its staff over the past 12 months, and we will ensure that it continues to have the resources it needs to provide the invaluable service that it has a remit to provide. I assure all hon. Members of that important fact.
I note the remarks of my hon. Friend the Member for Wycombe. I remain hopeful, as he says he does, that we will get a deal that continues to protect the data rights of people in this country and a great deal more besides. I commend the draft regulations to the Committee.
Question put and agreed to.