UK Parliament / Open data

Data Protection (Adequacy) (United States of America) Regulations 2023

My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for raising his concerns about this SI this evening, and for the diligent work of the Secondary Legislation Scrutiny Committee in drawing to our attention the inadequacy of the original Explanatory Memorandum attached to it. In fact, had the details been included in the proper form in the first place, it could have saved me a lot of chasing around to establish what had been tabled when; as the noble Lord pointed out, it was not immediately clear.

For example, the Secondary Legislation Scrutiny Committee criticised the lack of an impact assessment, a variation of which has now finally been attached to the SI. As the noble Lord made clear, the original Explanatory Memorandum recorded that the impact assessment was not ready to be published as it had to be submitted to the Regulatory Policy Committee for its review. We now know, thanks to the work of the Secondary Legislation Scrutiny Committee, that the RPC judged the original impact assessment as not sufficiently robust, identifying areas of improvement which, if not addressed adequately, would generate a red-rated opinion. It reports that a revised IA was submitted to the Regulatory Policy Committee on 20 September. Can the Minister confirm whether this revised IA has now received a green rating from the RPC?

I agree with the Secondary Legislation Scrutiny Committee that, sadly, the failure to produce this proper documentation in a timely manner occurs all too often. It makes it difficult for Parliament to carry out our scrutiny role and reflects a wider decline in drafting accuracy. I understand that the staff work under intense pressure but, in this case, I see no reason why all the checks could not have been carried out before the SI was laid, even if this resulted in a slight delay.

The Secondary Legislation Scrutiny Committee also quite rightly raised concerns about the lack of contextual information in the original Explanatory Memorandum. I absolutely agreed with them on this. It was not until I read the impact assessment that the background and intent of the SI became clear. There is now a revised EM but the original printed version of the SI, which I collected from the Printed Paper Office, as I suspect the noble Lord did as well, contained the original Explanatory Memorandum, which again underlines the inadequacy of the processes adopted by the department.

In this context, I have some questions which arise from the impact assessment rather than the EM. First, is it the case that the only adequacy regulations currently in existence are with the Republic of Korea? As this is the first such agreement, how are the provisions of the regulations being monitored, and have any data breaches been identified? I hope that we would learn from that first experiment, if you like, with the Republic of Korea. Any information on how that is working would be appreciated.

Secondly, what criteria do the Government use for prioritising other potential data partnerships, as listed in the IA? Are any others near completion?

Thirdly, since Brexit and the failure of the EU privacy shield, the EU and the US have developed the data privacy framework, and we have signed up to the UK extension of that framework. In what ways does the extension vary from the EU-US agreement? If the European Commission varies that agreement, can we be assured that the UK extension will seek to reflect those changes? This would make it considerably easier for businesses to navigate the rules in the longer term.

Fourthly, since there is some sensitivity around this currently, today’s announcement that the NHS has handed US spy tech firm Palantir a contract to create a huge new data platform has rightly caused concern. Does this agreement come under the new data adequacy rules covered by this SI? Is it the case that individuals cannot opt out of the scheme, as reported in the press? What would prevent Palantir selling on the data to other US companies, provided they signed up to the US Department of Commerce’s self-certification scheme?

Incidentally, I could not see in the impact assessment any assessment of the robustness of the US rules. For example, how many data breaches are there per annum and what sanctions are taken against those who breach the rules? It is all very well having an adequacy rule, but we want to know how it is working in practice and what the US’s history has been on this. Does the Minister have any information on this?

My last question leads on to the Secondary Legislation Scrutiny Committee’s last recommendation, which has also been highlighted by the noble Lord, Lord Clement-Jones. The UK public are understandably suspicious about how their personal data could be misused or monetised by big corporations, both here and abroad. If they have nothing to worry about in this instance, it would have been helpful to hold a public consultation to provide reassurance and build confidence in the policy. As it stands, there are bound to be concerns about the underlying consequences of this proposed agreement. As the Secondary Legislation Scrutiny Committee points out, an increasing number of experts

and specialist lawyers could have contributed to the development of this policy, particularly as it may be a model for other agreements in the future.

I hope the Minister can reflect on these concerns and take them back to the department. I hope that he can also address the specific questions I have raised, and that he can assure us that the lessons about the way documentation is presented to Parliament for approval in the future will be taken on board.

Type
Proceeding contribution
Reference
834 cc798-800 
Session
2023-24
Chamber / Committee
House of Lords chamber
Back to top