I welcome the Bill. I am delighted that it finally takes advantage of one of the freedoms that has resulted from our leaving the European Union, which I supported at the time and continue to support. As has been indicated, the Bill has had a long gestation. I was the Minister at the time of the issue of the consultation paper in September 2021 and the Bill first appeared a year later. As the Opposition spokesman pointed out, a small hiccup delayed it a bit further.
Our current data protection laws originate almost entirely from the EU and are based on GDPR. Before the adoption of GDPR in 2016, the UK Government opposed parts of it. I recall that the assessment at the time was that, although there were benefits to larger companies, there would be substantial costs for smaller firms and indeed that has been borne out. There was a debate in government about whether we should oppose the GDPR regulation when it was going through the process of the Commission formation. As so often was the case in the EU, we were advised that, if we opposed that, we would lose vital leverage and our ability to influence its development. Whether we were able then to influence its development is arguable, but it was decided that we should not outright oppose it. However, it has always been clear that the one-size-fits-all GDPR that currently is in place imposes significant costs on smaller firms. When we had the consultation in 2021, smaller firms in particular complained about the complexity of GDPR, and the uncertainty and cost that it imposed. Clearly, there was seen to be an opportunity to streamline it—not to remove it, but to make it simpler and more understandable, and to reduce some of the burdens it imposes. We now have that opportunity to diverge.
The other thing that came back from the consultation—I agree with the Opposition Members who have raised this point—was that there is an advantage in the UK’s retaining data adequacy with the EU. It was not taken for granted that we would get data adequacy. A lengthy negotiation with the EU took place before a data adequacy agreement was reached. As part of that process, officials rightly looked at what alternative there would be, should we not be granted data adequacy. It became clear that there are ways around it. Standard contractual clauses and alternative transfer mechanisms would allow companies to continue to exchange data. It would be a little more complicated. They would need to write the clauses into contracts. For that reason, there was clearly a value in having a general data adequacy agreement, but one should not think that the loss of data adequacy would be a complete disaster because, as I say, there are ways around it.
The Government are right to look at additional adequacy agreements with countries outside the EU, because therein lies a great opportunity. The EU has managed to conclude some, but not that many, and the Government have rightly identified a number of target countries where we see benefits from achieving data adequacy agreements. It is perfectly possible for us to diverge to a limited extent from GDPR and still retain adequacy. Notably, the EU recognises New Zealand’s regime as being adequate, even though New Zealand’s data protection laws are different from those of the EU. The fact that we decided to appoint the former New Zealand Information Commissioner as our own Information Commissioner means that he brings a particular degree of knowledge about that, which will be very useful.
In considering data protection law, it is sometimes said that there is a conflict between privacy—the right of consumers to have protection of their data—and the innovation and growth opportunities of technology companies. I do not believe that that is true; the two things have to be integral parts of our data protection laws. If people believe that their privacy is at risk, they will not trust the exchange of data. One problem is that, in general, people read only about the problems that arise, particularly from things such as identity theft, hacks and the loss of data as a result of people leaving memory sticks on phones or of cyber-criminals hacking into large databases and taking all their financial information. All those things are a genuine risk, but they present only one side of the picture and, in general, people reach their view about the importance of data protection according to all the risk, without necessarily seeing the real benefits that come from the free exchange of data. That was perhaps the lesson that covid showed us more than any other: by allowing the exchange of data, it allowed us to develop and research vaccines. We were able to research what worked in terms of prevention and the various measures that could be taken to protect consumers from getting covid. Therefore, covid was the big demonstration of the fact that data exchange can bring real benefits to all consumers. We are just on the threshold—