My Lords, I support this amendment, of which I am a co-signatory. I very much agree with what the noble Lord, Lord Stevenson, said, though I fear I might add a few questions for the Minister. As he said, free data flows across borders are an essential foundation of many key sectors of our economy, not just the tech industry as such but manufacturing, retail, health, information technology and financial services. It is vital that the free flow of data between the UK and the rest of the EU continues post Brexit with minimum disruption.
The European Union Select Committee, in its recent report on the revised withdrawal agreement and political declaration, pointed out that there was a lowering of ambition in the political declaration compared to what we have now as part of the EU’s digital single market. We have free flows, whereas the political declaration talks only about the “facilitation” of data flows. That is not the same as “freedom” of data flows. A host of organisations and the Information Commissioner have all persuasively argued that we need to ensure that our data protection legislation and practices are ruled as adequate. That is why it is so important that we get these regular reports and, as the amendment says, that we discover what the policy of HMG is if we do not have a data adequacy agreement after the end of transition.
We cannot take such a decision for granted merely because the GDPR more or less forms part of UK law. A major obstacle to an adequacy ruling is, of course, the bulk data provisions in the Investigatory Powers Act 2016, particularly in the light of the European Court of Justice decision in Tele2/Watson, the case brought by David Davis and Tom Watson over the legality of GCHQ’s retention and bulk interception of call records and online messages. That judgment ruled that UK mass surveillance laws breach the Charter of Fundamental Rights.
Just today there has been an opinion from the Advocate-General, the court’s legal adviser, who tends to get followed in 80% of ECJ cases, on a case which involves Privacy International, and a reference from the Investigatory Powers Tribunal. The Advocate-General has reinforced EU privacy law against mass retention and access to customer data by GCHQ, MI5 and MI6. I think this concerns provisions in Section 94 of the Telecommunications Act 1984. So we may get a second CJEU ruling, which will be problematic for any adequacy ruling given the very explicit requirements of Article 45(2)(a) of the GDPR, requiring the commission to consider
“respect for human rights and fundamental freedoms”,
as well as
“national security … and the access of public authorities to personal data … and … international commitments”.
They will probably want to look at any potential transatlantic transfers agreed with President Trump.
It is already clear that many aspects of the Investigatory Powers Act fall short of satisfying the CJEU criteria. The purposes of retention are not limited to fighting serious crime, data retention is not targeted to what is strictly necessary, prior independent review or judicial authorisation is not required in all cases, and there is no provision for informing individuals.
What are the Government going to do in the area of the powers of intelligence agencies to satisfy the European Commission—and the European Parliament, where I had some experience of this, particularly in the era of the Edward Snowden revelations, when many in the Parliament were jumping up and down about GCHQ but there was nothing they could do about it while we were in the EU? Once outside, we actually get much stricter scrutiny about our interception practices than when we are inside; it is something of an irony, really. Then there is the problem about the exception for immigration data in the Data Protection Act 2018. The EU will no doubt closely monitor how the Home Office reviews settled status applications and whether data subjects can obtain full access to their personal data if there are disputes or problems about their status.
In addition, we discussed earlier today the accusation —it seems stronger than that—that the UK has illegally copied, and therefore misused, the Schengen Information System database by copying it into a national database and even sharing it with private companies. The commission report says that UK practices
“constitute serious and immediate risks to the integrity and security of SIS data as well as for the data subjects”.
That is another area where we are going to be under strict review. There is the trust issue, which we also discussed earlier today about the criminal records fiasco—I think one would have to use that word.
There are lots of questions and challenging reviews that the Government will have to answer in seeking data adequacy decisions. We need to know what steps they have taken so far to achieve this decision. Will they apply to continue to participate in the European Data Protection Board? What will they do if we get turned down for a data adequacy agreement? Anything else is second best. Have the Government thought through what their strategy will be if they do get refused? Will they change the legislation on handling personal data for national security purposes? Those are a lot of questions, but it is a very significant area of the negotiations with the EU 27. From past experience, I know that the European Commission will be very much on the ball— not least because of the eagle eye that the European Parliament will have on this area—so the Government have to be as well.