My Lords, Amendment 32 is in my name and I thank the noble Baroness, Lady Ludford, for her support. I am also pleased to see the new Secretary of State in her place. Although I think she will not respond to this debate, I am sure she is learning from the process and we look forward to further interactions with her in due course, not least the opening Question Time, which I see is now on the timetable—it should be fun.
This is a probing amendment, by which I seek to draw attention to two things. One is the importance of the personal data sector; that may not need to be said, but it is worth reminding ourselves of its importance. The other is the implications for our economy if the Government are unable to persuade the EU to agree a data adequacy decision within the tight timetable that we have. But I also want to raise concerns about the future of this sector in light of the Government’s plans for further changes to the law, some or all of which might reduce the chances of us obtaining a positive data adequacy outcome.
The facts are that 43% of EU tech companies are currently based in the UK and 75% of the UK’s personal data transfers are with EU member states. It is therefore vital that a data adequacy agreement is reached within the timescale proposed under the withdrawal agreement. But quite apart from the timescale, achieving a positive adequacy decision for the UK is not as uncontentious as the Government seem to think. For a start, any adequacy agreement requires the European Commission to consider a wide array of issues, such as the rule of law, respect for fundamental rights, and legislation on national security, public security and the criminal law in that country. As was pointed out during the passage of the Bill, the surveillance practices of the UK intelligence services may indeed jeopardise a positive adequacy decision tout court. But there are particular difficulties and it is worth reflecting on these.
Further modifications of the GDPR, as it was legislated for, are possible in the UK after Brexit using the powers in the European Union (Withdrawal) Act in areas such as rights, principles, definitions, powers
of regulators, and fines. This means that the European Commission will have concerns on how secure the adequacy decision will be. Can the Minister say what guarantees will be under consideration in these areas? One problem with the UK’s version of the GDPR is that the Government resisted calls from this side of the House to include the recitals in the legislation. However, somewhat ironically, much of the ICO guidance on the GDPR is linked to the recitals and references are made to all of them. How will the Government square that anomaly whereby, after December 2020, those recitals will relate to the EU version of the GDPR but not specifically to the UK version? It has been argued that several of the exemptions in Schedules 2 to 4 to the DPA 2018 are not mirrored in other EU member states’ national data protection law, such as immigration and national security references, which might diminish the rights and freedoms of EU nationals in the UK. Can the Minister say how the Government will resolve this?
As was discussed at length during the passage of the Bill, the Investigatory Powers Act 2016 and the amount of bulk personal data collected routinely in the UK are generally accepted as a problem. Do the Government have any thoughts on how to address these issues? The status of codes of practice produced by the Secretary of State under the Digital Economy Act 2017 and the framework for data processing by government raises the question of whether the ICO is an independent regulator. Does the Minister accept that this may cause problems for the data adequacy ruling?
There are important provisions within the withdrawal agreement in relation to data protection over the transition period and I accept those. They include the fact that the GDPR and related EU privacy laws will continue to apply in the UK during that transition period and that there will be no immediate change in UK law on exit day. The UK must continue to interpret and apply the GDPR and related EU laws consistent with wider EU legal principles. The UK courts will therefore continue to apply decisions of the Court of Justice of the European Union and changes in EU law through the transition period, though presumably there will not be that many. The CJEU will continue to have jurisdiction in the UK, and decisions on the GDPR may be referred to the CJEU during the transition period.
We have all that as a base, but what happens if either we find that the EU will not grant an adequacy agreement or that it is significantly delayed? The current thinking is that impacted organisations—there will be a lot of them—will need to adopt specific legal safeguards to support the lawful transfer of personal data to the UK and that they will use standard sets of contractual terms and conditions, which the sender and the receiver of the personal data must both sign up to. But SCCs cannot be used to safeguard all transfers, and redress would of course be a civil and not a criminal matter in the courts, with all that that implies. The question is whether the Government have in mind to legislate to provide certainty for this possibility. Can the Minister comment on that?
The Government have ambitious plans, which we broadly support, to respond to increasing concern about the use and misuse of personal data, particularly as these affect children, but also including online trolling, fake news and undue influence on political issues. The Government are also considering how and in what way data companies are covered by competition and other regulations that apply to media companies.
8.30 pm
We look forward to initiatives from the CMA and Ofcom and to seeing the online harms Bill, which is to introduce a duty of care approach to statutory regulation in this area, which will transform the legal position of the big tech companies from “platforms”—which they like to call themselves—and recognise that they are active media and information companies, with the broad societal responsibilities that this must entail. These changes in approach, desirable as they are, are bound to affect our current data protection regime. Can the Minister give us more detail and assure us that this work is not under threat and will not impact on our proposed data adequacy agreement with the EU?
I have listed rather a lot of questions, probably too many for this time of night, and I am quite happy to have a letter from the Minister if she would feel more comfortable with that, but I would like some general shape to her response before we let her go this evening. I have outlined a range of important issues which will impact on an important sector of our economy. If the Minister accepts the broad drift of this argument, will she also agree that there is substantial interest in the sector about this? It therefore follows that my amendment, probing as it is and calling for formal Statements and reports, would be of value to all concerned. I beg to move.