My Lords, this is clearly box-office this evening. As soon as I saw the Secondary Legislation Scrutiny Committee’s report and its comments, I thought these regulations were a prime candidate for a regret Motion. This does not mean that the Minister has to be quite as persuasive as he would be if they were subject to the affirmative process, but it does mean that he has to recognise they we are not just going to let this kind of important secondary legislation go through on the nod—especially where his department has not excelled itself in giving the necessary explanatory and impact assessment material.
On purely procedural grounds, the tale of how DSIT has dealt with this SI is not a happy one. These are regulations made under Section 17A of the Data Protection Act 2018 to establish a data bridge with United States of America through the UK extension to the EU-US data privacy framework. The impact assessment for the regulations was first submitted on 4 August for Regulatory Policy Committee scrutiny, and the RPC’s initial review of it, sent to DSIT on 15 September, found that it was not sufficiently robust and identified areas where improvements should be made. As the RPC states:
“We considered that the points raised would generate a red-rated opinion, if not addressed adequately”.
Following discussions, DSIT submitted a revised impact assessment on 20 September. The data protection adequacy regulations were laid before Parliament the day following, 21 September.
In its report of 17 October, the SLSC said:
“We regret the absence of the IA and of a public consultation and recommend that the EM be revised to include the missing contextual information”.
The regulations are drawn to the special attention of the House on the ground that the explanatory material laid in support provides insufficient information to gain a clear understanding of the instrument’s policy objective and intended implementation.
The SLSC also said:
“We regret that … important context to the UK Extension to the EU-US Data Privacy Framework was not included in the EM. While the purpose of the Regulations is made clear by the EM, without the additional information provided by the Department and the link to the Government’s analysis, it is not possible for a reader of the EM to understand fully the policy context and framework of the adequacy decision and how this policy was developed. We therefore ask the Department to revise the EM to include the contextual information and the links to relevant external material. We are disappointed that the Department was unable to provide a final, green-rated IA when the Regulations were laid before Parliament … We regret—
and this is a broad point which comes up time and again—
“that this is a further example of relevant impact information not being shared with Parliament at the right time … We take the view therefore that it would have been desirable to carry out a public consultation”.
The SLSC concludes:
“We regret the absence of the IA and of a public consultation and recommend that the EM be revised to include the missing contextual information”.
If it had not been for the noble Baroness, Lady Jones, bumping into me today, I would not have realised that the Explanatory Memorandum that I read to prepare my speech today had been switched from 20 September to 21 November. I have the two versions in front of me, thanks to the noble Baroness, and they do differ. It seems extraordinary that two months should elapse before we get the revised memorandum. When I actually looked at it, I realised that it is considerably different. I am not surprised that the SLSC had something to say about this.
All the basic data protection principles that the US is meant to observe are set out in paragraph 7.7 of the new Explanatory Memorandum. They appear nowhere in the original memorandum. There is a whole slew of things: international data transfers, the need to consult expert counsel, and the fact that the Information Commissioner has produced an opinion, which I shall go on to talk about. There is also a third element of considerable importance: the impact on monetary net present value, under paragraph 12.3.
These are considerable changes, and it has taken two months and this regret Motion to elicit that kind of response from the department. That is not a happy start to these regulations: are these teething troubles at the new department, or something more serious? What is the Minister’s response to all these criticisms, in particular the lack of public engagement and the whole process by which these Explanatory Memorandums are produced?
This new arrangement is designed to be compatible with the EU-US data privacy framework and is what we must now call the UK-US data bridge. It came into force on 12 October 2023: from then on UK businesses may transfer personal data to US organisations certified under the UK extension to the EU-US data privacy
framework without the need for alternative safeguards such as standard contractual clauses. Those US organisations that have committed to complying—and this is important—with the enforceable principles and requirements under the UK extension to the EU-US data privacy framework can be identified on the data privacy framework list. Organisations not subject to the jurisdiction of the US FTC or the US DoT are not eligible to participate, and that includes major institutions such as banks and insurance and telecommunication companies.
This is what a prominent firm of lawyers has said about the new regulations and the bridge:
“Organisations should take care to review the nature and scope of transfers permitted in practice and to consider the steps that should be taken to effectively make those transfers in accordance with the new arrangements. For example, certain journalistic personal data may not be transferred in reliance on the UK-US data bridge. It will also be necessary to actively indicate to the US recipient organisation that it must treat genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning sexual orientation as sensitive information. Whilst these types of data are special categories of data under Article 9(1) UK GDPR, they are not designated as sensitive information under the UK Extension to the EU-US Data Privacy Framework. Specific identification to the data recipient is therefore required. There are also specific requirements regarding the transfer of certain criminal offence data.”
The deeper you dig, it still remains potentially very complicated, and I wonder what guidance the department is giving in detail on this. For example, how exactly do the UK and the EU data bridge agreements translate to a US state basis? Do they require state ratification of some kind, or verification of the principles they adopt? If we are comfortable with the data adequacy aspects of the UK-US data bridge, there are clear advantages in terms of participating organisations being exempted from the need to conduct a transfer impact assessment, rather than having standard contractual clauses where TIAs needs to be made.
However, what is the response of the Minister and his department to the Information Commissioner’s Office’s opinion on these regulations: that there are areas that could pose risks to UK data subjects if the protections identified are not properly applied? He identifies several potential issues with the UK-US data bridge: it does not contain substantially similar rights to the UK GDPR’s right to be forgotten, right to withdraw consent, and right to obtain a review by a human of an automated decision. He says:
“As a result, UK data subjects might not have the same level of control over their data as they do under UK GDPR.”
Secondly:
“The definition of sensitive information,”
much like the legal opinion,
“under the UK-US Data Bridge does not specify all the ‘special categories of personal data’ of the UK GDPR. Instead, the framework has a broad ‘umbrella’ concept providing that sensitive information can be any data regarded as sensitive by the transferring entity. UK businesses will have to clearly label certain types of data as ‘sensitive’ when transferring to a US organisation certified under the UK Extension to ensure adequate protection.”
Thirdly:
“For data on criminal offences, the ICO highlights potential vulnerabilities, even when tagged as sensitive. Since the UK places restrictions on the use of ‘spent’ convictions, there are concerns about a lack of comparable protections in the US for transferred data”.
The opinion of the ICO does not even deal with the potential impact of the Data Protection and Digital Information Bill going through Parliament, which will water down data subject rights, especially in the legitimate interest balancing test and Article 22, and in the provisions around DPOs and data protection impact assessments. Our data protection adequacy is not even secure, and the ICO specifically draws attention to this:
“If the Secretary of State becomes aware of a significant change in the level of data protection that applies to personal data transferred from the UK as a result of either the review or ongoing monitoring obligations, the Secretary of State must amend or revoke the regulations to the extent necessary”.
In addition:
“The Secretary of State is also required to monitor, on an ongoing basis, developments in a country, territory or international organisation which is the subject of UK adequacy regulations”.
Where did any of that appear in the Explanatory Memorandum? This is important stuff; it is our personal data.
How do we therefore know that our personal data is safe under these arrangements? How will the data bridge stand up, especially with the new Bill going through Parliament? Perhaps the Minister can also explain how the transfer of legally privileged data will be dealt with.
Even if this were satisfactory, one might ask how long the EU-US DPF will last before Mr Schrems gets to work. What will be the impact on our UK-US data bridge then, given that it is dependent on the EU-US bridge? Given the opinion of the ICO, should we expect litigation along the line of Schrems?
Under the DSIT analysis of last December, it is clear that the department has to take a view on, for instance, the sharing of sensitive data:
“DSIT considers that these exemptions are comparable to exemptions provided for under Article 9(2) of the UK GDPR and do not pose a material risk to UK data subjects”.
It says similarly about HR, and on personal data:
“Therefore, DSIT does not think that the extra protections afforded to criminal offence data … are likely to be undermined”,
and so on. What is DSIT actually advising businesses to do, given its opinion? Would it not be prudent to take some external advice, rather than rely on internal DSIT views about this? Would it not be safer for a business to agree or keep using standard contractual clauses?
Given the limited scope of the UK-US data bridge, a limited number of businesses can take the benefit of it. The impact assessment says: “The assumption that 23.4%”—that seems very granular—
“of those organisations who currently send personal data to the US will be risk averse due to legal uncertainty and continue to use standard data protection clauses is based on evidence from EU transfers. However, the assumption may be too conservative as many businesses reverted to using standard data protection clauses for EU transfers due to the previous risk of no-deal Brexit”.
That sounds like it is both on the one hand and on the other; it is not a very good basis for making assumptions and the figure may be even higher, given the uncertainty and difficulties surrounding some issues, such as the transfer of sensitive data.
I conclude in saying that I strongly agree with this sentence in the impact assessment:
“There is a clear rationale for creating a UK extension to the EU-US Data Privacy Framework”.
I very much believe that, if this works, it can pave the way for many other forms of co-operation with the EU. I just hope that the data protection Bill does not make that impossible.
6.45 pm
Finally, speaking of the Bill now in the Commons—and still just there—I hope that the Minister will carefully explain to us exactly what Clause 23 and Schedules 5 to 7 will do to change the current basis under Section 17A for approval of this kind of data bridge. The Explanatory Notes to the Bill do this nowhere: they simply tell us the new provisions that take over from the current Section 17A and leave us to make the comparison. I feel that the Government really should explain the difference. I fear the worst: that, as ever, the Secretary of State is taking greater powers and the tests for adequacy are being watered down.
I hope that the Minister is fully briefed on everything that I have said this evening and on all the matters I have raised. I very much look forward to his reply.